# @format

name: Vulnerability Check
on:
  pull_request:
    branches:
      - master

permissions:
  contents: read # to fetch code (actions/checkout)

jobs:
  vulncheck:
    name: Analysis
    runs-on: ubuntu-latest
    steps:
      - name: Check out code into the Go module directory
        uses: actions/checkout@v4
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version: 1.23.8
          check-latest: true
      - name: Get official govulncheck
        run: go install golang.org/x/vuln/cmd/govulncheck@latest
        shell: bash
      - name: Run govulncheck
        run: govulncheck ./...
        shell: bash

  react-code-known-vulnerabilities:
    name: "React Code Has No Known Vulnerable Deps"
    runs-on: ubuntu-latest
    strategy:
      matrix:
        go-version: [ 1.23.x ]
        os: [ ubuntu-latest ]
    steps:
      - name: Check out code
        uses: actions/checkout@v4
      - name: Read .nvmrc
        id: node_version
        run: echo "$(cat .nvmrc)" && echo "NVMRC=$(cat .nvmrc)" >> $GITHUB_ENV
      - name: Enable Corepack
        run: corepack enable
      - uses: actions/setup-node@v4
        with:
          node-version: ${{ env.NVMRC }}
      - name: Checks for known security issues with the installed packages
        working-directory: ./web-app
        continue-on-error: false
        run: |
          yarn npm audit --recursive --environment production --no-deprecations