name: code-security
on:
  push:
    branches:
      - main
    paths:
      - "**/*.go"
      - "*.go"
      - "go.mod"
      - "go.sum"
  pull_request:
    branches:
      - main
    paths:
      - "**/*.go"
      - "*.go"
      - "go.mod"
      - "go.sum"

permissions:
  actions: read
  contents: read
  security-events: write

jobs:
  security-checks:
    if: ${{ github.actor != 'dependabot[bot]' }}
    uses: purpleclay/github/.github/workflows/code-security.yml@main
    with:
      go-version: ${{ vars.GO_VERSION }}
    secrets:
      github-token: ${{ secrets.GITHUB_TOKEN }}