name: OSPS Baseline Scanner

on:
  schedule:
    # Run weekly on Mondays at 9 AM UTC
    - cron: "0 9 * * 1"
  workflow_dispatch: # Allow manual triggering

jobs:
  osps-assessment:
    runs-on: ubuntu-latest
    name: Baseline Scan

    permissions:
      contents: read
      security-events: write # Required for SARIF upload

    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Run Baseline Action
        uses: revanite-io/osps-baseline-action@99e372da63a5587fad5ef9a1a3c6e465f7e9fc03 # v1.3.1
        with:
          owner: ${{ github.repository_owner }}
          repo: ${{ github.event.repository.name }}
          token: ${{ secrets.GH_AUTH_TOKEN }}
          catalog: "osps-baseline"
          upload-sarif: "true"

      - name: Upload Assessment Results
        if: always()
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: osps-assessment-results-${{ github.run_number }}
          path: evaluation_results/
          retention-days: 30