name: Security

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    - cron: '0 4 * * 1'   # Mondays 04:00 UTC

jobs:
  semgrep:
    uses: Hellion-Forge/security-workflows/.gitea/workflows/semgrep.yml@main
    # If you need to exclude specific rules or paths, drop a .semgrep-exclude.yml
    # at the repo root. The reusable workflow honors it.

  trivy:
    uses: Hellion-Forge/security-workflows/.gitea/workflows/trivy.yml@main