name: SCA - pip-audit

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]

jobs:
  pip-audit:
    runs-on: ubuntu-latest
    steps:
      - name: Install system deps
        run: apt-get update -qq && apt-get install -y git -qq

      - name: Checkout code
        run: |
          rm -rf repo
          git clone https://oauth2:${{ secrets.GITEA_TOKEN }}@git.akarkode.com/${{ gitea.repository }}.git repo
          cd repo && git checkout ${{ gitea.sha }}

      - name: Install pip-audit
        run: pip install pip-audit

      - name: Run pip-audit scan
        run: pip-audit -r repo/Pipfile.lock || true

      - name: Fail on HIGH/CRITICAL
        run: pip-audit -r repo/Pipfile.lock --severity high --fail-on-severity high