name: Security Scan

on:
  push:
    branches:
      - main
    paths:
      - '**.go'
      - 'go.mod'
      - 'go.sum'
  pull_request:
    paths:
      - '**.go'
      - 'go.mod'
      - 'go.sum'
  schedule:
    # Run weekly on Monday at 9:00 UTC
    - cron: '0 9 * * 1'

permissions:
  contents: read

jobs:
  govulncheck:
    name: Run govulncheck
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version: '1.25'
          cache: true

      - name: Install govulncheck
        run: go install golang.org/x/vuln/cmd/govulncheck@latest

      - name: Run govulncheck
        run: govulncheck ./...