name: Update Vulnerability Summary

on:
  schedule:
    - cron: "15 9 * * *"    # runs daily at 09:15 UTC
  workflow_dispatch:        # allow manual trigger

jobs:
  update-summary:
    runs-on: ubuntu-latest
    permissions:
      contents: write        # allow pushing back to the repo

    steps:
      - name: Checkout repo
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Fetch sanitized JSON
        run: |
          curl -sSL https://vuln.beane.me/json/trivy_sanitized.json -o trivy_sanitized.json
          ls -lh trivy_sanitized.json
          head -20 trivy_sanitized.json || true

      - name: Extract last scan JSON
        run: |
          jq '.last_scan' trivy_sanitized.json > latest.json
          cat latest.json

      - name: Build summary string
        run: |
          jq -r '.last_scan | "_Last scan: \(.date)_\n\nCritical: \(.critical)\nHigh: \(.high)\nMedium: \(.medium)\nLow: \(.low)\n\nTotal: \(.total)"' trivy_sanitized.json > summary.txt

      - name: Update README
        run: |
          awk '
            /<!-- vuln-summary-start -->/ {
              print;
              while ((getline line < "summary.txt") > 0) print line;
              skip=1;
              next
            }
            /<!-- vuln-summary-end -->/ {skip=0}
            !skip
          ' README.md > README.tmp && mv README.tmp README.md

      - name: Commit updated files
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
          mkdir -p data
          mv latest.json data/last-scan.json
          git add data/last-scan.json README.md
          git commit -m "chore: refresh vuln summary (README + JSON)" || echo "No changes to commit"
          git push