name: Security

on:
  push:
    branches: [JP]
  pull_request:
    branches: [JP]
  schedule:
    - cron: "0 6 * * 1" # Weekly on Monday at 06:00 UTC

concurrency:
  group: security-${{ github.event.pull_request.number || github.sha }}
  cancel-in-progress: true

permissions:
  contents: read

jobs:
  vulnerability-scan:
    name: .NET vulnerability scan
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-dotnet@v4
        with:
          dotnet-version: "10.0.x"

      - name: Restore dependencies
        run: dotnet restore

      - name: Check for vulnerable packages
        run: dotnet list package --vulnerable --include-transitive