name: Security Scan

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

permissions:
  security-events: write
  contents: read

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Install VEXLIT
        run: npm install -g @vexlit/cli

      - name: Full scan (push to main)
        if: github.event_name == 'push'
        run: vexlit scan . --sarif > results.sarif --fail-on critical

      - name: Diff scan (pull request)
        if: github.event_name == 'pull_request'
        run: vexlit scan --diff --sarif > results.sarif --fail-on warning

      - name: Upload SARIF
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif