name: Security Scan

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]
  schedule:
    # Run security scan daily at 2 AM UTC
    - cron: '0 2 * * *'

jobs:
  security-scan:
    runs-on: ubuntu-latest
    
    steps:
    - uses: actions/checkout@v4
    
    - name: Set up Python
      uses: actions/setup-python@v4
      with:
        python-version: '3.11'
    
    - name: Install uv
      uses: astral-sh/setup-uv@v1
      with:
        version: "latest"
    
    - name: Install dependencies
      run: |
        uv sync --dev
    
    - name: Run Safety scan
      run: |
        uv run safety check --policy-file .safety-policy.json --output json > safety-report.json || true
        
    - name: Run pip-audit
      run: |
        uv run pip-audit --format=json --output pip-audit-report.json || true
        
    - name: Display Security Results
      run: |
        echo "=== Safety Report ==="
        if [ -f safety-report.json ]; then
          cat safety-report.json
        fi
        echo ""
        echo "=== Pip-Audit Report ==="
        if [ -f pip-audit-report.json ]; then
          cat pip-audit-report.json
        fi
        
    - name: Upload Security Reports
      uses: actions/upload-artifact@v3
      if: always()
      with:
        name: security-reports
        path: |
          safety-report.json
          pip-audit-report.json
        retention-days: 30