name: Security Scan

on:
  push:
    branches: ["main", "master", "develop"]
  pull_request:
    branches: ["main", "master"]
  schedule:
    # Run security scan weekly on Sundays at 2 AM UTC
    - cron: '0 2 * * 0'

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Install uv
        uses: astral-sh/setup-uv@v3
        with:
          version: "latest"

      - name: Set up Python
        run: uv python install 3.11

      - name: Install dependencies
        run: uv sync --extra security

      - name: Run bandit security linter
        run: uv run bandit -r src/ -f json -o bandit-report.json
        continue-on-error: true

      - name: Run safety vulnerability check
        run: uv run safety check --json --save-json safety-report.json
        continue-on-error: true

      - name: Upload security reports
        uses: actions/upload-artifact@v3
        with:
          name: security-reports
          path: |
            bandit-report.json
            safety-report.json

  dependency-check:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Install uv
        uses: astral-sh/setup-uv@v3
        with:
          version: "latest"

      - name: Set up Python
        run: uv python install 3.11

      - name: Check for dependency vulnerabilities
        run: |
          uv sync --extra security
          uv run pip-audit --format=json --output=pip-audit-report.json
        continue-on-error: true

      - name: Upload dependency audit report
        uses: actions/upload-artifact@v3
        with:
          name: dependency-audit
          path: pip-audit-report.json