name: "Dependency Review"
on:
  pull_request:
  merge_group:

permissions:
  contents: read

jobs:
  dependency-review:
    runs-on: depot-ubuntu-22.04-4
    steps:
      - name: "Checkout Repository"
        uses: actions/checkout@v4
      - name: "Setup Go"
        uses: actions/setup-go@v5
        with:
          go-version: "1.24"
          check-latest: true
      - name: "Dependency Review"
        uses: actions/dependency-review-action@v4
        with:
          base-ref: ${{ github.event.pull_request.base.sha || 'main' }}
          head-ref: ${{ github.event.pull_request.head.sha || github.ref }}
          fail-on-severity: high
      - name: "Dependency audit"
        run: ./scripts/dep-assert.sh
      - name: "Go vulnerability check"
        id: govuln
        run: |
          # Run the vulnerability check and capture its output (ignoring non-zero exit codes)
          make vulncheck 2>&1 | tee govulncheck-output.txt || true

          # Extract vulnerability identifiers from the output (e.g., GO-2025-3443)
          vulnerabilities=$(grep -o 'GO-[0-9]\{4\}-[0-9]\+' govulncheck-output.txt | sort | uniq)
          echo "Detected vulnerabilities: $vulnerabilities"

          # Check if any vulnerability other than GO-2025-3443 exists
          for vuln in $vulnerabilities; do
            if [ "$vuln" != "GO-2025-3443" ]; then
              echo "Found vulnerability $vuln, failing..."
              exit 1
            fi
          done

          echo "Only known vulnerability (GO-2025-3443) present. Continuing."