.github/workflows/security.yml

name: Security
on: [push]

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  mobfs:
    permissions:
      contents: read # for actions/checkout to fetch code
      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
      - name: Setup Python 3.13
        uses: actions/setup-python@v4
        with:
          python-version: '3.13'
      - name: Run mobsfscan
        uses: MobSF/mobsfscan@0.4.5
        with:
          args: . --sarif --output results.sarif || true
      - name: Upload mobsfscan report
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

  gradle-validate:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
      - uses: gradle/actions/wrapper-validation@v4