tiny-update-check 1.1.2

name: Security Audit
on:
  push:
    branches: [main]
  pull_request:
  schedule:
    - cron: '0 0 * * *' # Daily at midnight UTC

concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
  cancel-in-progress: true

jobs:
  changes:
    name: Detect changes
    runs-on: ubuntu-latest
    permissions:
      pull-requests: read
    outputs:
      deps: ${{ github.event_name != 'pull_request' || steps.filter.outputs.deps == 'true' }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6.0.2
      - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # ratchet:dorny/paths-filter@v3
        if: github.event_name == 'pull_request'
        id: filter
        with:
          filters: |
            deps:
              - 'Cargo.toml'
              - 'Cargo.lock'
              - 'deny.toml'

  audit:
    name: Security Audit
    needs: [changes]
    if: needs.changes.outputs.deps == 'true'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6.0.2
      - uses: tylerbutler/actions/install-tools@c4c45a8284082163bc58623acfc4b3dc98633c3d # ratchet:tylerbutler/actions/install-tools@main
        with:
          tools: cargo-audit,cargo-deny
      - name: Run cargo audit
        run: cargo audit
      - name: Run cargo deny (advisories)
        run: cargo deny check advisories
        continue-on-error: true  # advisory DB may contain unsupported CVSS formats
      - name: Run cargo deny (licenses, bans, sources)
        run: cargo deny check licenses bans sources