name: Sec Audit

on:
    push:
        branches: [main]
    pull_request:
        branches: [main]
    schedule:
        - cron: "0 6 * * 1" # Weekly on Monday 6am UTC

concurrency:
    group: security-${{ github.event.pull_request.number || github.ref }}
    cancel-in-progress: true

permissions:
    contents: read
    security-events: write
    actions: read
    checks: write

env:
    CARGO_TERM_COLOR: always

jobs:
    audit:
        name: Security Audit
        runs-on: blacksmith-2vcpu-ubuntu-2404
        timeout-minutes: 20
        steps:
            - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

            - uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0
              with:
                  token: ${{ secrets.GITHUB_TOKEN }}

    deny:
        name: License & Supply Chain
        runs-on: blacksmith-2vcpu-ubuntu-2404
        timeout-minutes: 20
        steps:
            - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

            - uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2
              with:
                  command: check advisories licenses sources