name: Security Audit

on:
  workflow_dispatch: # Allow manual triggering
  push:

jobs:
  rust-audit:
    name: Rust Security Audit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5

      - name: Install cargo-deny
        uses: taiki-e/install-action@cargo-deny

      - name: Run cargo deny
        run: cargo deny --manifest-path src-tauri/Cargo.toml check sources advisories bans --show-stats

  npm-audit:
    name: NPM Security Audit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5

      - name: Install pnpm
        uses: pnpm/action-setup@v4
        with:
          version: 10.19.0

      - name: Setup Node.js
        uses: actions/setup-node@v6
        with:
          node-version: "22.21.1"
          cache: "pnpm"

      - name: Install dependencies
        run: pnpm install

      - name: Run npm audit
        run: pnpm audit --audit-level moderate