name: OWASP ZAP DAST

on:
    schedule:
        - cron: "0 3 * * *" # Nightly at 3am UTC
    workflow_dispatch:

env:
    GIT_SSL_NO_VERIFY: "true"
    NODE_TLS_REJECT_UNAUTHORIZED: "0"

jobs:
    zap-baseline:
        runs-on: ubuntu-latest
        timeout-minutes: 30

        steps:
            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

            - name: ZAP Baseline Scan
              uses: zaproxy/action-baseline@v0.12.0
              with:
                  target: ${{ secrets.STAGING_URL || 'http://localhost:5174' }}
                  rules_file_name: .zap/rules.tsv
                  fail_action: false
                  artifact_name: zap-report

            - name: Upload ZAP report
              if: always()
              uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
              with:
                  name: zap-report
                  path: report_html.html
                  retention-days: 30