name: NPM Audit

on:
  schedule:
    - cron: "0 0 * * *"
  workflow_dispatch:

permissions: {}
jobs:
  audit:
    if: ${{ github.repository_owner == 'nrwl' }}
    permissions:
      contents: read  #  to fetch code (actions/checkout)
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - uses: pnpm/action-setup@v4
        with:
          version: 10.11.1 # Aligned with root package.json (pnpm/action-setup will helpfully error if out of sync)

      - name: Run a security audit
        run: pnpm dlx audit-ci --critical --report-type summary

  report:
    if: ${{ always() && github.repository_owner == 'nrwl' && github.event_name != 'workflow_dispatch' }}
    needs: audit
    runs-on: ubuntu-latest
    name: Report status
    steps:
      - name: Send notification
        uses: ravsamhq/notify-slack-action@v2
        with:
          status: ${{ needs.audit.result }}
          message_format: '{emoji} Audit has {status_message}'
          notification_title: '{workflow}'
          footer: '<{run_url}|View Run> / Last commit <{commit_url}|{commit_sha}>'
          mention_users: 'U01UELKLYF2,U9NPA6C90'
          mention_users_when: 'failure,warnings'
        env:
          SLACK_WEBHOOK_URL: ${{ secrets.ACTION_MONITORING_SLACK }}