name: Security Scan

on:
  schedule:
    - cron: "0 4 * * 1"
  workflow_dispatch:

jobs:
  security-scan:
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: opera-cache-cleaner-extension
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Check JavaScript syntax
        run: |
          node --check background.js
          node --check popup/popup.js

      - name: Scan for risky patterns
        shell: bash
        run: |
          if grep -RInE 'eval\s*\(|new Function|innerHTML\s*=|insertAdjacentHTML|fetch\s*\(|XMLHttpRequest|chrome\.tabs|chrome\.cookies|chrome\.history' background.js popup manifest.json; then
            echo "Review the matches above before release."
            exit 1
          fi

      - name: Check manifest permissions
        shell: bash
        run: |
          if grep -qE '"(tabs|cookies|history|downloads|<all_urls>)"' manifest.json; then
            echo "Unexpected broad permission found in manifest.json."
            exit 1
          fi