name: Dependency Audit

on:
  schedule:
    - cron: '0 0 * * 0'
  workflow_dispatch:

permissions:
  contents: read

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: '3.11'
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install pip-tools pip-audit
          pip-compile --generate-hashes --output-file=requirements.lock src/requirements.txt
          git diff --exit-code requirements.lock
          pip install --require-hashes -r requirements.lock
      - name: Run pip-audit
        run: pip-audit -r requirements.lock --ignore-vuln GHSA-wj6h-64fc-37mp