# DeBros canonical security CI workflow (orama-specific).
#
# Runs supply-chain + vulnerability checks per the DeBros baseline rules.
# Triggers on main pushes/PRs and weekly to catch newly-published CVEs.
#
# See: https://github.com/DeBrosDAO/rules/blob/main/DEBROS.md

name: security

on:
  pull_request:
    branches: [main]
  push:
    branches: [main]
  schedule:
    # Weekly scan even on quiet weeks — catches newly-published CVEs
    # in existing dependencies.
    - cron: "0 8 * * 1"

permissions:
  contents: read

jobs:
  # ------------------------------------------------------------------
  # JavaScript / TypeScript (sdk/)
  # ------------------------------------------------------------------
  npm-audit:
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: sdk
    steps:
      - uses: actions/checkout@v4

      - name: Verify lockfile committed
        run: |
          if [ ! -f pnpm-lock.yaml ]; then
            echo "::error::sdk/pnpm-lock.yaml must be committed (DEBROS.md §1.2)"
            exit 1
          fi

      - name: Verify .npmrc blocks install scripts
        run: |
          if ! grep -q '^ignore-scripts=true' .npmrc 2>/dev/null; then
            echo "::error::sdk/.npmrc must contain 'ignore-scripts=true' (DEBROS.md §1.3)"
            exit 1
          fi

      - uses: pnpm/action-setup@v4
        with:
          version: 9

      - uses: actions/setup-node@v4
        with:
          node-version-file: ".nvmrc"
          cache: pnpm
          cache-dependency-path: sdk/pnpm-lock.yaml

      - name: Install (frozen lockfile, no scripts)
        run: pnpm install --frozen-lockfile --ignore-scripts

      - name: Audit production deps
        run: pnpm audit --prod --audit-level=high

  # ------------------------------------------------------------------
  # Go (core/)
  # ------------------------------------------------------------------
  go-vuln:
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: core
    steps:
      - uses: actions/checkout@v4

      - name: Verify go.sum committed
        run: |
          if [ ! -f go.sum ]; then
            echo "::error::core/go.sum must be committed (DEBROS.md §1.2)"
            exit 1
          fi

      - uses: actions/setup-go@v5
        with:
          go-version-file: core/go.mod
          cache-dependency-path: core/go.sum

      - name: Verify modules
        run: go mod verify

      - name: Install govulncheck
        run: go install golang.org/x/vuln/cmd/govulncheck@latest

      - name: Run govulncheck
        run: govulncheck ./...