name: AgentShield Security Scan

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

# Prevent duplicate runs
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

# Minimal permissions
permissions:
  contents: read

jobs:
  agentshield:
    name: AgentShield Scan
    runs-on: ubuntu-latest
    timeout-minutes: 10

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Run AgentShield Security Scan
        uses: affaan-m/agentshield@v1
        with:
          path: '.'
          min-severity: 'medium'
          format: 'terminal'
          fail-on-findings: 'false'