name: Security audit
on:
  pull_request:
    paths:
      - "**/Cargo.toml"
      - "**/Cargo.lock"
  push:
    paths:
      - "**/Cargo.toml"
      - "**/Cargo.lock"
jobs:
  security_audit:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        checks:
          - advisories
          - bans licenses sources

    # Prevent sudden announcement of a new advisory from failing ci:
    continue-on-error: ${{ matrix.checks == 'advisories' }}

    steps:
      - name: Setup | Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Test | Security Audit
        uses: EmbarkStudios/cargo-deny-action@bb137d7af7e4fb67e5f82a49c4fce4fad40782fe # v2.0.20
        with:
          command: check ${{ matrix.checks }}