name: Pipelock Security Scan

on:
  pull_request:
    branches: [main]

permissions:
  contents: read

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Pipelock Scan
        uses: luckyPipewrench/pipelock@v1
        with:
          scan-diff: 'true'
          fail-on-findings: 'true'
          test-vectors: 'false'
          exclude-paths: |
            config/locales/views/reports/
            # False positive: client.rb stores Bearer token and sends Authorization header by design
            app/models/assistant/external/client.rb