name: Security Scan

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    # Run weekly on Monday at 08:00 UTC
    - cron: "0 8 * * 1"

jobs:
  scan:
    name: HF Security Scan
    runs-on: ubuntu-latest
    permissions:
      # Required for uploading SARIF to GitHub Code Scanning
      security-events: write
      # Required for posting PR comments
      pull-requests: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      # ── Run hf-security-scanner ────────────────────────────────────────────
      - name: Scan for vulnerabilities
        uses: Chris4K/autoscan/.github/actions/scan@main
        with:
          path: "."
          categories: "security,llm,performance"
          severity-threshold: "WARNING"
          upload-sarif: "true"
          comment-pr: "true"   # posts a summary on PRs
          # hf-token: ${{ secrets.HF_TOKEN }}   # uncomment for private spaces

      # ── (Optional) Fail fast on ERRORs while reporting WARNINGs ───────────
      # - name: Fail on high-severity findings
      #   uses: Chris4K/autoscan/.github/actions/scan@main
      #   with:
      #     path: "."
      #     severity-threshold: "ERROR"
      #     upload-sarif: "false"