name: NYX Security Scan

on:
  pull_request:
    branches: [main]

jobs:
  nyx-scan:
    runs-on: docker-amd64

    steps:
      - name: Checkout PR
        run: |
          git clone --depth=1 \
            "https://oauth2:${{ github.token }}@bitfreedom.net/code/${{ github.repository }}.git" \
            .
          git fetch --depth=1 origin ${{ github.sha }}
          git checkout ${{ github.sha }}

      - name: Fetch action source
        run: |
          git clone --depth=1 --branch master \
            "https://oauth2:${{ github.token }}@bitfreedom.net/code/nomyo-ai/actions.git" \
            ./.nyx-action

      - uses: ./.nyx-action/nyx-scan
        with:
          forgejo_push_token: ${{ secrets.FORGEJO_PUSH_TOKEN }}
          repository: ${{ github.repository }}
          pr_number: ${{ github.event.pull_request.number }}
          sha: ${{ github.sha }}
          fail_on: HIGH