timemaster/.gitea/workflows/security.yml

name: Security Audit

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    - cron: '0 6 * * 1'  # Jeden Montag 06:00 UTC

jobs:
  pip-audit:
    name: Python Dependency Audit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.12'

      - name: Install pip-audit
        run: pip install pip-audit

      - name: Run pip-audit
        run: |
          cd backend
          pip-audit -r requirements.txt --format json --output pip-audit-report.json || true
          pip-audit -r requirements.txt
        continue-on-error: true  # Nicht blockieren, aber anzeigen

      - name: Upload audit report
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: pip-audit-report
          path: backend/pip-audit-report.json
          if-no-files-found: ignore

  npm-audit:
    name: Node.js Dependency Audit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Run npm audit
        run: |
          cd frontend
          npm audit --audit-level=high || true
        continue-on-error: true