name: Bandit

on:
  push:
    branches: ["main"]
  pull_request:
    branches: ["main"]
  schedule:
    - cron: "40 13 * * 4"

permissions:
  contents: read
  security-events: write
  actions: read

jobs:
  bandit:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.x"

      - name: Install Bandit
        run: python -m pip install --upgrade bandit[toml]

      - name: Run Bandit
        run: |
          bandit -r . \
            -f sarif \
            -o bandit.sarif \
            --exclude .git,__pycache__,.tox,.eggs,*.egg

      - name: Upload SARIF
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: bandit.sarif