# .github/workflows/cbx-audit.yml
# Run cbx audit aws on every pull request.
# A non-zero exit code from the audit step blocks the PR from merging.
#
# cbx audit aws reads a LIVE AWS account and grounds findings by running a local
# LLM CLI (claude or codex). The runner therefore needs:
#   - AWS credentials (configured below via OIDC)
#   - the chosen LLM CLI (claude or codex) installed AND authenticated on PATH
#   - outbound network reachability to api.cloudbooster.io
# Many teams run live-account audits from a workstation instead of CI.
#
# Copy this file into your repository at .github/workflows/cbx-audit.yml.

name: cbx audit

on:
  pull_request:
    branches: [main]

permissions:
  id-token: write   # for AWS OIDC
  contents: read

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Install cbx-cli
        run: |
          curl -fsSL https://install.cloudbooster.io | sh
          echo "$HOME/.cbx/bin" >> "$GITHUB_PATH"

      # Install and authenticate the grounding LLM CLI (claude or codex) here.
      # The CLI owns its own auth; provide its credentials via a repo secret.

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_AUDIT_ROLE_ARN }}
          aws-region: us-east-1

      - name: Run cbx audit aws
        run: cbx audit aws --region us-east-1 --no-tui --strict -o json
        # Exit-code gating:
        #   - exit 0  → no findings at/above the strict threshold; PR can merge
        #   - non-0   → findings detected; PR is blocked
        # continue-on-error is NOT set, so GitHub automatically prevents merging.