name: Vulnerability scan

on:
  schedule:
    - cron: '0 0 * * *'
  workflow_dispatch:

jobs:
  vulnerability-scan:
    strategy:
      # We don't want to run all jobs in parallel, because this would
      # overload NVD and we would get 503
      max-parallel: 1
      matrix:
        # References/branches which should be scanned for vulnerabilities are
        # defined in the VULNERABILITY_SCAN_REFS variable as json list.
        # For example: ['master', 'release/v5.2', 'release/v5.1', 'release/v5.0', 'release/v4.4']
        ref: ${{ fromJSON(vars.VULNERABILITY_SCAN_REFS) }}
    name: Vulnerability scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          submodules: recursive
          ref: ${{ matrix.ref }}

      - name: Vulnerability scan
        env:
          SBOM_MATTERMOST_WEBHOOK: ${{ secrets.SBOM_MATTERMOST_WEBHOOK }}
          NVDAPIKEY: ${{ secrets.NVDAPIKEY }}
        uses: espressif/esp-idf-sbom-action@master
        with:
          ref: ${{ matrix.ref }}