name: Security Audit

on:
  schedule:
    # Run weekly on Monday
    - cron: '0 0 * * 1'
  workflow_dispatch:
  push:
    branches: [ main, develop ]

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: pnpm/action-setup@v2
        with:
          version: 9
      - uses: actions/setup-node@v3
        with:
          node-version: '18'
          cache: 'pnpm'
      - run: pnpm install
      - name: Run npm audit
        run: pnpm audit --audit-level=moderate
      - name: Run security tests
        run: pnpm test:security
      - name: Check for known vulnerabilities
        run: |
          pnpm audit --json > audit-results.json || true
          if [ -s audit-results.json ]; then
            echo "Vulnerabilities found. Review audit-results.json"
            exit 1
          fi