name: AgentShield Security Scan

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

# Prevent duplicate runs
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

# Minimal permissions
permissions:
  contents: read

jobs:
  agentshield:
    name: AgentShield Scan
    runs-on: ubuntu-latest
    timeout-minutes: 10

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20.x'

      - name: Run AgentShield security scan
        run: npx ecc-agentshield scan --path . --min-severity medium --format terminal
        continue-on-error: true  # Informational only — ECC contains intentional config examples