name: Security Scanning

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main, develop]
  schedule:
    # Run weekly on Monday at 00:00 UTC
    - cron: '0 0 * * 1'
  workflow_dispatch:

jobs:
  # ===========================================
  # CODEQL ANALYSIS
  # ===========================================
  codeql-backend:
    name: CodeQL (Python)
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: python
          queries: security-and-quality

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
        with:
          category: "/language:python"

  codeql-frontend:
    name: CodeQL (JavaScript/TypeScript)
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          submodules: recursive

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: javascript-typescript
          queries: security-and-quality

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
        with:
          category: "/language:javascript-typescript"

  # ===========================================
  # DEPENDENCY VULNERABILITY SCANNING
  # ===========================================
  pip-audit:
    name: Python Dependency Audit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.11'

      - name: Install pip-audit
        run: pip install pip-audit

      - name: Run pip-audit
        run: pip-audit --requirement requirements.txt --format=json --no-deps
        continue-on-error: true

  npm-audit-web:
    name: NPM Audit (Web Client)
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: swingmusic-webclient
    steps:
      - uses: actions/checkout@v4
        with:
          submodules: recursive

      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Install dependencies
        run: npm ci || npm install

      - name: Run npm audit
        run: npm audit --audit-level=moderate
        continue-on-error: true

  npm-audit-desktop:
    name: NPM Audit (Desktop)
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: swingmusic-desktop
    steps:
      - uses: actions/checkout@v4
        with:
          submodules: recursive

      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Install dependencies
        run: npm ci || npm install

      - name: Run npm audit
        run: npm audit --audit-level=moderate
        continue-on-error: true

  # ===========================================
  # SECRET SCANNING
  # ===========================================
  secret-scan:
    name: Secret Scanning
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: TruffleHog OSS
        uses: trufflesecurity/trufflehog@main
        with:
          path: ./
          base: ${{ github.event.repository.default_branch }}
          extra_args: --only-verified