name: Security

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    - cron: '0 4 * * 1'   # Mondays 04:00 UTC

# Reusable workflows live in JonKazama-Hellion/security-workflows
# (the security-workflows repo is in the personal account, not in either org).
jobs:
  semgrep:
    uses: JonKazama-Hellion/security-workflows/.gitea/workflows/semgrep.yml@main
    # If you need to exclude specific rules or paths, drop a .semgrep-exclude.yml
    # at the repo root. The reusable workflow honors it.

  trivy:
    uses: JonKazama-Hellion/security-workflows/.gitea/workflows/trivy.yml@main