name: Supply Chain Audit (registered)

on:
  workflow_dispatch: {}

jobs:
  audit:
    name: cargo-audit & cargo-deny
    runs-on: ubuntu-24.04
    timeout-minutes: 30
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install Rust toolchain
        run: |
          if [ -f rust-toolchain.toml ]; then
            TOOLCHAIN=$(grep -m1 -oP 'channel.*"(\K.*?)(?=")' rust-toolchain.toml || true)
          fi
          if [ -z "${TOOLCHAIN:-}" ]; then
            TOOLCHAIN=stable
          fi
          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${TOOLCHAIN}
          source $HOME/.cargo/env

      - name: Install cargo-audit and cargo-deny
        run: |
          source $HOME/.cargo/env
          cargo install cargo-audit --version 0.17.0 || true
          cargo install cargo-deny --version 0.12.0 || true

      - name: Run cargo audit
        run: |
          source $HOME/.cargo/env
          cargo audit --version || true
          cargo audit || true
        continue-on-error: true

      - name: Run cargo deny (advisories)
        run: |
          source $HOME/.cargo/env
          cargo deny check advisories --manifest-path Cargo.toml || true
        continue-on-error: true

      - name: Run cargo deny (licenses)
        run: |
          source $HOME/.cargo/env
          cargo deny check licenses --manifest-path Cargo.toml || true
        continue-on-error: true

      - name: Upload audit results
        uses: actions/upload-artifact@v4
        with:
          name: supply-chain-reports
          path: |
            audit.txt
            deny-advisories.txt
            deny-licenses.txt
          if-no-files-found: ignore