byte-me/.github/workflows/security-audit.yml

name: Security Audit

on:
  workflow_dispatch: # Allow manual triggering
  push:
    paths:
      - "**/Cargo.toml"
      - "**/Cargo.lock"
      - "**/package.json"
      - "**/pnpm-lock.yaml"

jobs:
  rust-audit:
    name: Rust Security Audit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5

      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@stable

      - name: Install cargo-audit
        uses: taiki-e/cache-cargo-install-action@v2
        with:
          tool: cargo-audit

      - name: Run cargo audit
        run: cargo audit --file src-tauri/Cargo.lock

      - name: Install cargo-deny
        uses: taiki-e/cache-cargo-install-action@v2
        with:
          tool: cargo-deny

      - name: Run cargo deny
        run: cargo deny --manifest-path src-tauri/Cargo.toml check

  npm-audit:
    name: NPM Security Audit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5

      - name: Install pnpm
        uses: pnpm/action-setup@v4
        with:
          version: 10

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: "20"
          cache: "pnpm"

      - name: Install dependencies
        run: pnpm install

      - name: Run npm audit
        run: pnpm audit --audit-level moderate