name: SCA - pip-audit

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]

jobs:
  pip-audit:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        run: |
          git clone https://oauth2:${{ secrets.GITEA_TOKEN }}@git.akarkode.com/${{ gitea.repository }}.git repo
          cd repo && git checkout ${{ gitea.sha }}

      - name: Install pip-audit
        run: pip3 install pip-audit

      - name: Run pip-audit scan
        working-directory: repo
        run: |
          pip-audit -r Pipfile.lock || true

      - name: Fail on HIGH/CRITICAL
        working-directory: repo
        run: pip-audit -r Pipfile.lock --fail-on-severity high