name: SCA - pip-audit

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]

jobs:
  pip-audit:
    runs-on: ubuntu-latest
    defaults:
      run:
        shell: bash
    steps:
      - name: Checkout code
        shell: bash
        run: |
          rm -rf repo
          git clone https://oauth2:${{ secrets.GITEA_TOKEN }}@git.akarkode.com/${{ gitea.repository }}.git repo
          cd repo
          git checkout ${{ gitea.sha }}

      - name: Install pip-audit
        shell: bash
        run: pip3 install pip-audit

      - name: Run pip-audit scan
        shell: bash
        run: |
          cd repo
          pip-audit -r Pipfile.lock || true

      - name: Fail on HIGH/CRITICAL
        shell: bash
        run: |
          cd repo
          pip-audit -r Pipfile.lock --fail-on-severity high