{{- if .Values.pipeline.enabled }}
apiVersion: argoproj.io/v1alpha1
kind: ClusterWorkflowTemplate
metadata:
  name: amp-security-pipeline-v1.0.0
spec:
  templates:
    - name: scan-socketdev
      metadata:
        annotations:
          secrets.infisical.com/auto-reload: "true"
      initContainers:
        - name: wait-for-infisical
          image: alpine:3.20
          command:
            - sh
            - -c
          args:
            - until [ -n "${SOCKETDEV_TOKEN:-}" ]; do sleep 2; done
      container:
        image: socketdev/socketcli:latest
        command:
          - sh
          - -c
        args:
          - |
            set -eu
            mkdir -p /workspace/reports
            socketdev scan /workspace --format json --output /workspace/reports/socketdev.json || true
      volumeMounts:
        - name: workspace
          mountPath: /workspace
{{- end }}