# Security scans migrated from .gitea/workflows/scan.yml.
#
# Pinned first-party actions (bump tag and SHA together when upgrading):
#   actions/checkout@v6.0.1            8e8c483db84b4bee98b60c0593521ed34d9990e8
#   actions/setup-python@v6.2.0        a309ff8b426b58ec0e2a45f0f869d46889d02405
#   actions/setup-node@v6.1.0          395ad3262231945c25e8478fd5baf05154b1d79f
#   actions/cache@v4.2.0               1bd1e32a3bdc45362d1e726936510720a7c30a57

# FIXME: CVE-2026-3219 affects pip through 26.0.1 waiting for next release to fix for now we ignore it

name: Security scans

on:
    schedule:
        - cron: "30 12 * * 1"
    push:
        branches:
            - master
            - dev
    workflow_dispatch:

permissions:
    contents: read

concurrency:
    group: ${{ github.workflow }}-${{ github.ref }}
    cancel-in-progress: true

env:
    FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
    PYTHON_VERSION: "3.14"
    NODE_VERSION: "24"
    POETRY_VERSION: "2.3.4"
    PNPM_VERSION: "10.32.1"
    TRIVY_DEB_URL: "https://git.quad4.io/Quad4-Software/Trivy-Assets/raw/commit/fdfe96b77d2f7b7f5a90cea00af5024c9f728f17/trivy_0.69.3_Linux-64bit.deb"
    TRIVY_DEB_SHA256: "a484057aafde31089cf2558ca0f79a4bc835125a5ee6834183a5bcf0735af358"

jobs:
    scan:
        runs-on: ubuntu-latest
        timeout-minutes: 45
        permissions:
            contents: read
        steps:
            - name: Checkout
              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8

            - name: Set up Python
              uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
              with:
                  python-version: ${{ env.PYTHON_VERSION }}

            - name: Install Poetry (PyPI pin)
              env:
                  POETRY_VERSION: ${{ env.POETRY_VERSION }}
              run: bash scripts/ci/github-install-poetry.sh

            - name: Cache Poetry downloads
              uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57
              with:
                  path: ~/.cache/pypoetry
                  key: ${{ runner.os }}-pypoetry-${{ hashFiles('poetry.lock') }}
                  restore-keys: |
                      ${{ runner.os }}-pypoetry-

            - name: Enable pnpm (corepack)
              run: corepack enable && corepack prepare "pnpm@${PNPM_VERSION}" --activate

            - name: Set up Node
              uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
              with:
                  node-version: ${{ env.NODE_VERSION }}
                  cache: pnpm
                  cache-dependency-path: pnpm-lock.yaml

            - name: Install dependencies
              run: bash scripts/ci/github-install-deps.sh

            - name: pip-audit
              run: |
                  poetry run pip install --upgrade "pip>=26.0" pip-audit
                  poetry run pip-audit --ignore-vuln CVE-2026-3219

            - name: Apt update (for Trivy .deb)
              run: sh scripts/ci/exec-priv.sh apt-get update -qq

            - name: Setup Trivy
              run: sh scripts/ci/setup-trivy.sh

            - name: Trivy filesystem scan (dependencies)
              run: sh scripts/ci/trivy-fs-scan.sh

            - name: Trivy Dockerfile misconfiguration
              run: trivy config --exit-code 1 Dockerfile