MrTrust/files/dependency-check-gitea.yml

name: Scheduled Dependency Check

on:
  schedule:
    - cron: "29 3 * * 2"
  workflow_dispatch:

jobs:
  dependency-check:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Detect project stack
        id: detect
        shell: bash
        run: |
          stacks=""

          [ -f package.json ] && stacks="${stacks} node"
          { [ -f pyproject.toml ] || [ -f requirements.txt ]; } && stacks="${stacks} python"
          [ -f Cargo.toml ] && stacks="${stacks} rust"
          [ -f go.mod ] && stacks="${stacks} go"
          { [ -f Dockerfile ] || [ -f compose.yml ] || [ -f docker-compose.yml ]; } && stacks="${stacks} docker"

          echo "stacks=${stacks:-generic}" >> "$GITHUB_OUTPUT"
          echo "Detected stacks:${stacks:- generic}"

      - name: Node dependency report
        if: contains(steps.detect.outputs.stacks, 'node')
        shell: bash
        run: |
          if [ -f package-lock.json ] || [ -f npm-shrinkwrap.json ]; then
            npm ci
          else
            npm install --package-lock-only --ignore-scripts
          fi

          echo "Security audit:"
          npm audit --omit=dev --audit-level=high

          echo
          echo "Outdated dependencies:"
          npm outdated || true

      - name: Python dependency report
        if: contains(steps.detect.outputs.stacks, 'python')
        shell: bash
        run: |
          python -m pip install --upgrade pip pip-audit

          echo "Security audit:"
          if [ -f requirements.txt ]; then
            pip-audit -r requirements.txt
          else
            pip-audit
          fi

          echo
          echo "Outdated packages:"
          python -m pip list --outdated || true

      - name: Rust dependency report
        if: contains(steps.detect.outputs.stacks, 'rust')
        shell: bash
        run: |
          cargo install cargo-audit cargo-outdated --locked

          echo "Security audit:"
          cargo audit

          echo
          echo "Outdated crates:"
          cargo outdated || true

      - name: Go dependency report
        if: contains(steps.detect.outputs.stacks, 'go')
        shell: bash
        run: |
          go install golang.org/x/vuln/cmd/govulncheck@latest

          echo "Security audit:"
          govulncheck ./...

          echo
          echo "Available dependency updates:"
          go list -u -m all || true

      - name: Docker base image report
        if: contains(steps.detect.outputs.stacks, 'docker')
        shell: bash
        run: |
          echo "Docker image references:"
          grep -RInE --exclude-dir=.git --exclude-dir=node_modules --exclude-dir=dist --exclude-dir=build '^\s*FROM\s+' Dockerfile* . 2>/dev/null || true

          echo
          echo "Review Docker base images manually for pinned versions, official sources, and current security status."

      - name: Dependency guidance
        shell: bash
        run: |
          cat <<'EOF'
          Dependency check completed.

          This workflow reports vulnerabilities and available updates. It does
          not modify dependency files, create pull requests, or publish packages.

          Recommended manual follow-up:
          - update dependencies in a focused branch,
          - run the project test/build commands,
          - review lockfile diffs carefully,
          - document intentionally held versions.
          EOF