name: SCA - pip-audit

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]

jobs:
  pip-audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-python@v5
        with:
          python-version: '3.11'

      - name: Install tools
        run: pip install pipenv pip-audit

      - name: Install dependencies
        run: pipenv install --deploy

      - name: Run pip-audit scan
        run: pipenv run pip-audit --format json -o pip-audit-report.json || true

      - name: Fail on HIGH/CRITICAL
        run: pipenv run pip-audit --fail-on-severity high

      - name: Upload report
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: pip-audit-report
          path: pip-audit-report.json