name: NYX Security Scan

on:
  pull_request:
    branches: [main, master]

jobs:
  nyx-scan:
    runs-on: docker-amd64

    steps:
      - name: Checkout PR
        run: |
          git clone --depth=1 \
            "https://oauth2:${{ github.token }}@bitfreedom.net/code/${{ github.repository }}.git" \
            .
          git fetch --depth=1 origin ${{ github.sha }}
          git checkout ${{ github.sha }}

      - name: Clone nyx from Forgejo mirror
        run: |
          git clone --depth=1 --branch master \
            "https://oauth2:${{ github.token }}@bitfreedom.net/code/apunkt/nyx.git" \
            .nyx-src

      - name: Install Rust
        run: |
          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable
          echo "$HOME/.cargo/bin" >> $GITHUB_PATH

      - name: Build nyx from source
        run: |
          cd .nyx-src
          cargo build --release
          cp target/release/nyx /usr/local/bin/nyx

      - name: Run NYX scan
        run: |
          .nyx-src/target/release/nyx scan --format sarif --fail-on MEDIUM > nyx-results.sarif || true

      - name: Show findings
        run: cat nyx-results.sarif

      - name: Upload SARIF results
        if: always()
        uses: https://code.forgejo.org/actions/upload-artifact@v4
        with:
          name: nyx-sarif-report
          path: nyx-results.sarif