devsecops-main.yml

name: DevSecOps Main Pipeline

on:
  push:
    branches: [ main, devsecops, k8s ]
    paths-ignore:
      - '**.md'
      - '.gitignore'
      - 'LICENSE'
      - 'screenshots/**'
      - 'scripts/**'

permissions:
  id-token: write
  contents: read
  security-events: write

jobs:
  # ============================================================
  # STAGE 1: CI - Security Scanning (SAST + SCA)
  # ============================================================
  ci:
    uses: ./.github/workflows/ci.yml
    secrets: inherit

  # ============================================================
  # STAGE 2: Build - Maven + Trivy + ECR Push
  # ============================================================
  build:
    needs: ci
    uses: ./.github/workflows/build.yml
    secrets: inherit

  # ============================================================
  # STAGE 3: CD - Deploy + DAST
  # ============================================================
  cd:
    needs: build
    uses: ./.github/workflows/cd.yml
    secrets: inherit