.github/workflows/gosec.yml

name: Gosec Security Scan

on:
  push:
    branches:
      - "master"
      - "main"
    paths-ignore:
      - "**.md"
      - LICENSE
      - ".github/ISSUE_TEMPLATE/*.yml"
      - ".github/dependabot.yml"
  pull_request:
    branches:
      - "*"
    paths-ignore:
      - "**.md"
      - LICENSE
      - ".github/ISSUE_TEMPLATE/*.yml"
      - ".github/dependabot.yml"

jobs:
  detect-changes:
    runs-on: ubuntu-latest
    outputs:
      matrix: ${{ steps.changed-files.outputs.all_changed_files }}
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Changed Files
        uses: tj-actions/changed-files@v42
        id: changed-files
        with:
          files_ignore: |
            .github/**
            **.md
          json: true
          escape_json: false
          dir_names: true
          dir_names_max_depth: '1'
          dir_names_exclude_current_dir: true

  gosec-scan:
    runs-on: ubuntu-latest
    needs: detect-changes
    env:
      GO111MODULE: on
    strategy:
      matrix:
        modules: ${{ fromJSON(needs.detect-changes.outputs.matrix) }}
    steps:
      - name: Fetch Repository
        uses: actions/checkout@v4
      - name: Install Go
        uses: actions/setup-go@v5
        with:
          go-version: '^1.21.x'
          check-latest: true
          cache: false
      - name: Install gosec
        run: go install github.com/securego/gosec/v2/cmd/gosec@latest
      - name: Run gosec
        working-directory: ${{ matrix.modules }}
        run: gosec ./...