rusty-rich 0.4.2

name: Security Audit

on:
  push:
    branches: [main, master]
    paths:
      - "Cargo.toml"
      - "Cargo.lock"
      - ".github/workflows/security-audit.yml"
  pull_request:
    branches: [main, master]
    paths:
      - "Cargo.toml"
      - "Cargo.lock"
      - ".github/workflows/security-audit.yml"
  schedule:
    # Run at 07:17 UTC every Monday (off-peak, randomized minute)
    - cron: "17 7 * * 1"

env:
  CARGO_TERM_COLOR: always

jobs:
  # ── cargo-audit: RustSec advisory DB check ─────────────────────
  cargo-audit:
    name: cargo-audit
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # v1
        with:
          toolchain: stable

      - name: Install cargo-audit
        run: cargo install cargo-audit --locked

      - name: Run cargo-audit
        run: cargo audit --deny warnings

  # ── cargo-deny: license + duplicate + source check ─────────────
  cargo-deny:
    name: cargo-deny
    runs-on: ubuntu-latest
    permissions:
      contents: read
    strategy:
      matrix:
        checks:
          - advisories
          - bans licenses sources
    steps:
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - uses: EmbarkStudios/cargo-deny-action@e9b17bf604a44f8b1e60a02f5e63242027a3546c # v2.0.12
        with:
          command: check ${{ matrix.checks }}
          arguments: --all-features
          rust-version: stable

  # ── CodeQL analysis ───────────────────────────────────────────
  codeql:
    name: CodeQL
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
      actions: read
    steps:
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Initialize CodeQL
        uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1
        with:
          languages: rust
          queries: security-extended,security-and-quality

      - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # v1
        with:
          toolchain: stable

      - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1

      - name: Build
        run: cargo build

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1
        with:
          category: "/language:rust"

  # ── Dependency review (PRs only) ───────────────────────────────
  dependency-review:
    name: Dependency Review
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request'
    permissions:
      contents: read
      pull-requests: write
    steps:
      - uses: actions/checkout@v4

      - name: Dependency Review
        uses: actions/dependency-review-action@v4
        with:
          fail-on-severity: high