name: Security Scan

on:
  schedule:
    - cron: '0 0 * * 0'  # 每周运行一次
  workflow_dispatch:

jobs:
  check-repository:
    runs-on: ubuntu-latest
    outputs:
      is_original: ${{ steps.check.outputs.is_original }}
    steps:
      - id: check
        run: |
          if [ "${{ github.repository }}" = "ErlichLiu/DeepClaude" ]; then
            echo "is_original=true" >> $GITHUB_OUTPUT
          else
            echo "is_original=false" >> $GITHUB_OUTPUT
          fi

  scan:
    needs: check-repository
    if: needs.check-repository.outputs.is_original == 'true'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set lowercase variables
        run: |
          OWNER_LOWER=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]')
          REPO_NAME_LOWER=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]')
          echo "OWNER_LOWER=$OWNER_LOWER" >> $GITHUB_ENV
          echo "REPO_NAME_LOWER=$REPO_NAME_LOWER" >> $GITHUB_ENV

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ghcr.io/${{ env.OWNER_LOWER }}/${{ env.REPO_NAME_LOWER }}:latest
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          severity: 'CRITICAL'