name: Reusable Python Security Checks

on:
  workflow_call:
    inputs:
      install_command:
        type: string
        default: 'python -m pip install "bandit[toml]"'
      security_command:
        type: string
        default: "python -m bandit -r app -c pyproject.toml"
      working_directory:
        type: string
        default: "."
    secrets:
      REGISTRY_USERNAME: { required: true }
      REGISTRY_PASSWORD: { required: true }

jobs:
  security:
    runs-on: docker
    container:
      image: gitea.tech-buddy.at/bitbuddydev/gitea_runner_python314:dev-bda315b82bb23d83065b77d91fedf0e20d9accf1
      credentials:
        username: ${{ secrets.REGISTRY_USERNAME }}
        password: ${{ secrets.REGISTRY_PASSWORD }}

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install security tools
        working-directory: ${{ inputs.working_directory }}
        run: ${{ inputs.install_command }}

      - name: Run security scan
        working-directory: ${{ inputs.working_directory }}
        run: ${{ inputs.security_command }}