{{- define "template.workflow.security-pipeline.tasks" -}}
- name: clone
  template: clone-repo
  arguments:
    parameters:
      - name: repo-url
        value: {{ `{{workflow.parameters.repo-url}}` | quote }}
      - name: git-revision
        value: {{ `{{workflow.parameters.git-revision}}` | quote }}
- name: scanners
  dependencies:
    - clone
  template: parallel-scanners
  arguments:
    parameters:
      - name: working-dir
        value: {{ `{{workflow.parameters.working-dir}}` | quote }}
- name: enforce-policy
  dependencies:
    - scanners
  template: enforce-policy
  arguments:
    parameters:
      - name: fail-on-cvss
        value: {{ `{{workflow.parameters.fail-on-cvss}}` | quote }}
{{- if .Values.storage.enabled }}
- name: upload-storage
  dependencies:
    - scanners
  template: upload-storage
{{- end }}
{{- if .Values.defectdojo.enabled }}
- name: upload-defectdojo
  dependencies:
    - scanners
  template: upload-defectdojo
{{- end }}
{{- end }}

{{- define "template.workflow.parallel-scanners.tasks" -}}
{{- /* Scanner fan-out is data-driven from pipeline.scanners in values.yaml. */ -}}
{{- range $scanner := .Values.pipeline.scanners }}
- name: {{ $scanner }}
  template: scan-{{ $scanner }}
  arguments:
    parameters:
      - name: working-dir
        value: {{ `{{inputs.parameters.working-dir}}` | quote }}
{{- end }}
{{- end }}

{{- define "template.workflow.named-templates" -}}
{{- /* Keep the main workflow file focused on orchestration; implementations are included here. */ -}}
{{- range $scanner := .Values.pipeline.scanners }}
{{ include (printf "template.scan-%s" $scanner) $ }}
{{- end }}
{{- if .Values.storage.enabled }}
{{ include "template.upload-storage" . }}
{{- end }}
{{- if .Values.defectdojo.enabled }}
{{ include "template.upload-defectdojo" . }}
{{- end }}
{{ include "template.enforce-policy" . }}
{{- end }}