name: Security
on:
  push:
    branches:
      - master
  pull_request:
    types: [ opened, synchronize ]
# When a new revision is pushed to a PR, cancel all in-progress CI runs for that
# PR. See https://docs.github.com/en/actions/using-jobs/using-concurrency
concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
jobs:
  nancy:
    strategy:
      matrix:
        go: ["1.21"] # nancy is a little flaky
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
          go-version: ${{ matrix.go }}
      - run: go mod download && go list -json -deps all > go.list
      - uses: sonatype-nexus-community/nancy-github-action@main