name: Bundler Audit
on:
  merge_group:
  push:
    branches:
      - 'main'
      - 'stable-*'
    paths:
      - 'Gemfile*'
      - '.ruby-version'
      - '.github/workflows/bundler-audit.yml'

  pull_request:
    paths:
      - 'Gemfile*'
      - '.ruby-version'
      - '.github/workflows/bundler-audit.yml'

  schedule:
    - cron: '0 5 * * 1'

jobs:
  security:
    runs-on: ubuntu-latest

    env:
      BUNDLE_ONLY: development

    steps:
      - name: Clone repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Set up Ruby
        uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1
        with:
          bundler-cache: true

      - name: Run bundler-audit
        run: bin/bundler-audit check --update