name: Pen Tests

on:
  # Be careful when using the workflow_run trigger
  # https://github.community/t/workflow-run-completed-event-triggered-by-failed-workflow/128001/7
  workflow_run:
    workflows: ["Release"]
    branches:
      - master
    types:
      - completed

concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true

jobs:
  zap-scan:
    if: ${{ github.event.workflow_run.conclusion == 'success' }}
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Docker Compose up
        run: |
          curl -fsSL https://raw.githubusercontent.com/logto-io/logto/HEAD/docker-compose.yml |\
          TAG=edge docker compose -p logto -f - up -d

      - name: Sleep for 30 seconds
        run: sleep 30s

      - name: ZAP Scan
        uses: zaproxy/action-full-scan@v0.10.0
        with:
          target: http://localhost:3001
          cmd_options: "-a"
          fail_action: true
          allow_issue_writing: false
          rules_file_name: ".zap/rules.conf"

      # TODO: send slack message on failure