feat: add security triage gate for issue safety before agent processing (#734)

New issues are triaged by the security team before other workflows can act on them. The triage agent checks for prompt injection, social engineering, spam, and unsafe payloads — marking safe issues with `safe-to-work`, closing malicious ones, or flagging unclear ones for human review. Discovery and refactor workflows now require the `safe-to-work` label in addition to their existing label requirements. Co-authored-by: Sprite <noreply@sprites.dev> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-29 04:19:30 +00:00 · 2026-02-12 14:23:33 -08:00 · 2026-02-12 14:23:33 -08:00 · 4924a7d5db
commit 4924a7d5db
parent 4d175ae6c7
4 changed files with 114 additions and 15 deletions
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@ -33,10 +33,7 @@ jobs:
  review:
    runs-on: ubuntu-latest
    timeout-minutes: 30
-    # Only trigger on team-building issues (or PR/schedule/manual)
-    if: >-
-      github.event_name != 'issues' ||
-      contains(github.event.issue.labels.*.name, 'team-building')
+    # Trigger on ALL issues (triage or team-building) plus PR/schedule/manual
    steps:
      - name: Trigger security review
        env:
@ -53,8 +50,12 @@ jobs:
            REASON="pull_request"
            ISSUE_NUM="${{ github.event.pull_request.number }}"
          elif [ "${{ github.event_name }}" = "issues" ]; then
-            REASON="team_building"
            ISSUE_NUM="${{ github.event.issue.number }}"
+            if [ "${{ contains(github.event.issue.labels.*.name, 'team-building') }}" = "true" ]; then
+              REASON="team_building"
+            else
+              REASON="triage"
+            fi
          elif [ "${{ github.event_name }}" = "schedule" ]; then
            # Distinguish between cron schedules:
            # '0 6 * * *' = daily scan, '0 */6 * * *' = hygiene every 6h