name: Python Dependency Security

on:
  push:
    branches: ["main", "master", "development"]
    paths:
      - "backend/**"
      - ".github/workflows/python-dependency-security.yml"
      - "ops/security/pip-audit-allowlist.json"
      - "docs/security/dependency-exceptions.md"
  pull_request:
    paths:
      - "backend/**"
      - ".github/workflows/python-dependency-security.yml"
      - "ops/security/pip-audit-allowlist.json"
      - "docs/security/dependency-exceptions.md"
  workflow_dispatch:

jobs:
  pip-audit:
    name: pip-audit (block high/critical)
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 1

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.13"

      - name: Install pip-audit
        run: |
          python -m pip install --upgrade pip
          pip install pip-audit

      - name: Run pip-audit (JSON report)
        run: |
          pip-audit -r backend/requirements.txt --format json --aliases --output pip-audit-backend.json || true

      - name: Enforce vulnerability policy
        run: |
          python backend/scripts/pip_audit_gate.py \
            --report pip-audit-backend.json \
            --allowlist ops/security/pip-audit-allowlist.json

      - name: Upload pip-audit report
        uses: actions/upload-artifact@v3
        with:
          name: pip-audit-security-report
          path: pip-audit-backend.json