# KXCO Bastion — Quantum Vulnerability Scan
# Uses the official KXCO Bastion GitHub Action.
#
# Setup (2 steps):
# 1. Create an API key at pqc.kxco.ai/dashboard/api-keys (Starter plan and above)
# 2. Add it as KXCO_TOKEN: repo Settings → Secrets → Actions → New secret
#
# The action auto-detects: package.json, requirements.txt, go.mod, Gemfile,
# Cargo.toml, pom.xml, Dockerfile, *.tf, and k8s/*.yml
#
# Results: ML-DSA-65 attested report as PR comment + CycloneDX 1.6 CBOM download.

name: KXCO Bastion Scan

on:
  pull_request:
  push:
    branches: [main, master]
  workflow_dispatch:

permissions:
  contents: read
  pull-requests: write   # for PR comments — remove if not wanted

jobs:
  bastion:
    name: KXCO Bastion — quantum vulnerability scan
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - uses: JackKXCO/bastion-action@v1
        id: bastion
        with:
          kxco-token: ${{ secrets.KXCO_TOKEN }}
          fail-on: critical        # change to 'high' to be stricter
          post-comment: true

      # Optional: save CBOM as a build artifact
      - name: Download CBOM
        if: always() && steps.bastion.outputs.cbom-url != ''
        run: |
          curl -sf \
            -H "Authorization: Bearer ${{ secrets.KXCO_TOKEN }}" \
            -o bastion-cbom.json \
            "${{ steps.bastion.outputs.cbom-url }}" || true

      - uses: actions/upload-artifact@v4
        if: always() && hashFiles('bastion-cbom.json') != ''
        with:
          name: kxco-bastion-cbom
          path: bastion-cbom.json
          retention-days: 30