name: 'Sec: Poutine Scan'

on:
  workflow_dispatch:
  workflow_call:
    inputs:
      ref:
        description: GitHub ref to scan.
        required: false
        type: string
        default: ''

permissions:
  contents: read
  security-events: write

jobs:
  poutine_scan:
    name: Poutine Security Scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.ref }}

      - name: Run Poutine Security Scanner
        uses: boostsecurityio/poutine-action@84c0a0d32e8d57ae12651222be1eb15351429228 # v0.15.2

      - name: Fail on error-level findings
        run: |
          # Check SARIF for error-level findings
          if jq -e '.runs[].results[] | select(.level == "error")' results.sarif > /dev/null 2>&1; then
            echo "::error::Poutine found error-level security findings:"
            jq -r '.runs[].results[] | select(.level == "error") | "  - \(.ruleId): \(.message.text)"' results.sarif
            exit 1
          fi
          echo "No error-level findings detected"

      - name: Upload SARIF results
        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
        if: always()
        with:
          sarif_file: results.sarif