name: security-scanning

on:
  push:
  workflow_dispatch:

jobs:
  audit:
    runs-on: debian

    steps:
      - name: Nuclear fix - absolute path control
        run: |
          echo "=== SECURITY SCANNING NUCLEAR FIX ==="
          echo "Current PWD: $(pwd)"
          echo "Forcing absolute workspace path..."
          
          # Clean and create absolute workspace
          rm -rf /opt/gitea-runner/workspace
          mkdir -p /opt/gitea-runner/workspace
          cd /opt/gitea-runner/workspace
          
          echo "Workspace PWD: $(pwd)"
          echo "Cloning repository..."
          git clone https://gitea.bubuit.net/oib/aitbc.git repo
          
          cd repo
          echo "Repo PWD: $(pwd)"
          echo "Files in repo:"
          ls -la
          
          echo "=== PROJECT TYPE CHECK ==="
          if [ -f "package.json" ]; then
            echo "✅ Node.js project detected!"
            echo "=== NPM INSTALL ==="
            npm install --legacy-peer-deps
            echo "✅ Running security scan..."
            npm audit --audit-level moderate || true
          elif [ -f "pyproject.toml" ]; then
            echo "✅ Python project detected!"
            echo "=== PYTHON DEPENDENCIES ==="
            if command -v poetry >/dev/null 2>&1; then
              echo "Poetry found, installing dependencies..."
              poetry install
            else
              echo "Installing poetry..."
              pip install poetry
              poetry install
            fi
            echo "✅ Running security scan..."
            pip install safety bandit
            echo "=== Safety check (dependencies) ==="
            safety check || echo "Safety check completed"
            echo "=== Bandit check (code security) ==="
            bandit -r . -f json || echo "Bandit scan completed"
          else
            echo "❌ No supported project type found!"
            exit 1
          fi