name: Supply-Chain Watch

on:
  schedule:
    - cron: '17 */6 * * *'
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: false

permissions:
  contents: read

jobs:
  ioc-watch:
    name: IOC watch
    runs-on: ubuntu-latest
    timeout-minutes: 10

    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Setup Node.js
        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: '20.x'

      - name: Install dependencies without lifecycle scripts
        run: npm ci --ignore-scripts

      - name: Verify registry signatures and advisories
        run: |
          npm audit signatures
          npm audit --audit-level=high

      - name: Validate IOC scanner fixtures
        run: node tests/ci/scan-supply-chain-iocs.test.js

      - name: Validate advisory source fixtures
        run: node tests/ci/supply-chain-advisory-sources.test.js

      - name: Generate IOC report
        run: |
          mkdir -p artifacts
          node scripts/ci/scan-supply-chain-iocs.js --json > artifacts/supply-chain-ioc-report.json

      - name: Generate advisory source report
        run: node scripts/ci/supply-chain-advisory-sources.js --refresh --json > artifacts/supply-chain-advisory-sources.json

      - name: Validate workflow hardening rules
        run: node scripts/ci/validate-workflow-security.js

      - name: Upload IOC report
        if: always()
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: supply-chain-ioc-report
          path: |
            artifacts/supply-chain-ioc-report.json
            artifacts/supply-chain-advisory-sources.json
          retention-days: 14