zeroclaw/.github/workflows/security.yml

name: Security Audit

on:
    push:
        branches: [main]
    pull_request:
        branches: [main]
    schedule:
        - cron: "0 6 * * 1" # Weekly on Monday 6am UTC

concurrency:
    group: security-${{ github.event.pull_request.number || github.ref }}
    cancel-in-progress: true

permissions:
    contents: read

env:
    CARGO_TERM_COLOR: always

jobs:
    audit:
        name: Security Audit
        runs-on: ${{ github.event_name != 'pull_request' && fromJSON('["self-hosted","Linux","X64","lxc-ci"]') || 'ubuntu-latest' }}
        timeout-minutes: 20
        steps:
            - uses: actions/checkout@v4

            - uses: dtolnay/rust-toolchain@stable
            - uses: Swatinem/rust-cache@v2

            - name: Install cargo-audit
              run: cargo install --locked cargo-audit --version 0.22.1

            - name: Run cargo-audit
              run: cargo audit

    deny:
        name: License & Supply Chain
        runs-on: ${{ github.event_name != 'pull_request' && fromJSON('["self-hosted","Linux","X64","lxc-ci"]') || 'ubuntu-latest' }}
        timeout-minutes: 20
        steps:
            - uses: actions/checkout@v4

            - uses: EmbarkStudios/cargo-deny-action@v2
              with:
                  command: check advisories licenses sources