pezkuwi-sdk/.github/workflows/security-audit.yml

name: Security Audit

on:
  push:
    branches:
      - main
  pull_request:
    types: [opened, synchronize, reopened, ready_for_review]
  # Run weekly on Monday at 06:00 UTC
  schedule:
    - cron: "0 6 * * 1"

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

jobs:
  isdraft:
    # Skip draft PRs but always run on schedule/push
    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
    runs-on: ubuntu-latest
    steps:
      - run: echo "Not a draft"

  cargo-deny:
    needs: isdraft
    runs-on: ubuntu-latest
    timeout-minutes: 30
    # Informational: surfaces issues without blocking CI.
    # Remove continue-on-error once all findings are addressed.
    continue-on-error: true
    strategy:
      matrix:
        checks:
          - advisories
          - licenses
          - sources
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2.0.15
        with:
          command: check ${{ matrix.checks }}

  cargo-audit:
    needs: isdraft
    runs-on: ubuntu-latest
    timeout-minutes: 30
    # Informational: surfaces vulnerabilities without blocking CI.
    # Remove continue-on-error once all advisories are resolved or ignored.
    continue-on-error: true
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Install cargo-audit
        run: cargo install cargo-audit --locked
      - name: Run cargo audit
        run: |
          echo "## Cargo Audit Results" >> $GITHUB_STEP_SUMMARY
          cargo audit 2>&1 | tee audit-output.txt
          RESULT=${PIPESTATUS[0]}
          if [ $RESULT -ne 0 ]; then
            echo "### Vulnerabilities found" >> $GITHUB_STEP_SUMMARY
            echo '```' >> $GITHUB_STEP_SUMMARY
            # Truncate output to avoid GITHUB_STEP_SUMMARY 1MB limit
            head -500 audit-output.txt >> $GITHUB_STEP_SUMMARY
            if [ "$(wc -l < audit-output.txt)" -gt 500 ]; then
              echo "... (truncated, see full output in job logs)" >> $GITHUB_STEP_SUMMARY
            fi
            echo '```' >> $GITHUB_STEP_SUMMARY
            exit $RESULT
          else
            echo "### No vulnerabilities found" >> $GITHUB_STEP_SUMMARY
          fi

  confirm-security-audit-passed:
    runs-on: ubuntu-latest
    name: Security audit summary
    needs: [cargo-deny, cargo-audit]
    if: always() && !cancelled()
    steps:
      - run: |
          tee resultfile <<< '${{ toJSON(needs) }}'
          FAILURES=$(cat resultfile | grep '"result": "failure"' | wc -l)
          if [ $FAILURES -gt 0 ]; then
            echo "### Security audit found issues - review needed" >> $GITHUB_STEP_SUMMARY
            echo "Note: Security audit is currently informational (continue-on-error)." >> $GITHUB_STEP_SUMMARY
            echo "Review the cargo-deny and cargo-audit job outputs for details." >> $GITHUB_STEP_SUMMARY
          else
            echo '### All security audits passed' >> $GITHUB_STEP_SUMMARY
          fi