name: NPM Audit

on:
  schedule:
    - cron: "0 0 * * *"
  workflow_dispatch:

permissions: {}
jobs:
  audit:
    permissions:
      contents: read  #  to fetch code (actions/checkout)

    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v3

    - name: Run a security audit
      run: npx audit-ci --critical --report-type summary

    - name: Check lock file for invalid hosts
      run: npx lockfile-lint -s -n -p yarn.lock -a hosts yarn npm

    # - name: Run Dependency confusion supply chain check
    #  run: npx snync -d .

  report:
    if: ${{ always() && github.repository_owner == 'nrwl' && github.event_name != 'workflow_dispatch' }}
    needs: audit
    runs-on: ubuntu-latest
    name: Report status
    steps:
      - name: Send notification
        uses: ravsamhq/notify-slack-action@v2
        with:
          status: ${{ needs.audit.result }}
          message_format: '{emoji} Audit has {status_message}'
          notification_title: '{workflow}'
          footer: '<{run_url}|View Run> / Last commit <{commit_url}|{commit_sha}>'
          mention_users: 'U01UELKLYF2,U9NPA6C90'
          mention_users_when: 'failure,warnings'
        env:
          SLACK_WEBHOOK_URL: ${{ secrets.ACTION_MONITORING_SLACK }}