name: NYX Security Scan

on:
  pull_request:
    branches: [main, master]

jobs:
  nyx-scan:
    runs-on: docker-amd64  # eine Architektur reicht für SAST

    steps:
      - name: Checkout target repo
        uses: actions/checkout@v4

      - name: Checkout nyx from Forgejo mirror
        uses: actions/checkout@v4
        with:
          repository: apunkt/nyx
          # URL deiner Forgejo-Instanz:
          server_url: https://bitfreedom.net/code/
          ref: master
          path: .nyx-src

      - name: Install Rust
        uses: https://github.com/actions-rust-lang/setup-rust-toolchain@v1
        with:
          toolchain: stable

      - name: Build nyx from source
        run: |
          cd .nyx-src
          cargo build --release
          sudo cp target/release/nyx /usr/local/bin/nyx

      - name: Run NYX scan
        run: |
          nyx scan --format sarif --fail-on MEDIUM > nyx-results.sarif

      - name: Upload results
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: nyx-sarif-report
          path: nyx-results.sarif