name: Vulnerability Scan

on:
  # enable running the workflow manually
  workflow_dispatch:
  schedule:
    # run every night at 4:00 AM (UTC)
    - cron: '0 4 * * *'

permissions:
  contents: read
  security-events: write

jobs:
  trivy-scan:
    # only on original eclipse-hawkbit/hawkbit repo or when manually triggered
    if: github.repository == 'eclipse-hawkbit/hawkbit' || github.event_name == 'workflow_dispatch'
    uses: ./.github/workflows/reusable_workflow_trivy-scan.yaml
    permissions:
      contents: read
      security-events: write
    with:
      ref: ${{ github.ref }}
      upload: ${{ github.ref == 'refs/heads/master' }}