feat: consolidate security review_all and scan into single 20-min cycle (#802)

The two scheduled modes (review_all every 15 min, scan every 30 min) competed for MAX_CONCURRENT=1 on the trigger server, causing 429 drops and 30-55+ min gaps. Merge both into a single cycle that runs every 20 min, prioritizing PR review but also performing lightweight repo scanning when capacity allows (≤5 open PRs). Also prevents refactor agents from closing issues manually — issues now auto-close via `Fixes #N` in the PR body when merged. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-30 04:49:33 +00:00 · 2026-02-12 20:29:56 -08:00 · 2026-02-12 20:29:56 -08:00 · 56c4c020d5
commit 56c4c020d5
parent 8bcdb59c09
3 changed files with 87 additions and 47 deletions
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@ -4,10 +4,8 @@ on:
  issues:
    types: [opened, reopened]
  schedule:
-    # Batch PR security review + hygiene — every 15 min
-    - cron: '*/15 * * * *'
-    # Full repo security scan — every 30 min (offset +5)
-    - cron: '5,35 * * * *'
+    # Consolidated review + scan — every 20 min
+    - cron: '*/20 * * * *'
  workflow_dispatch:
    inputs:
      mode:
@ -20,7 +18,7 @@ on:
          - scan

 concurrency:
-  group: security-${{ github.event_name == 'issues' && format('issue-{0}', github.event.issue.number) || github.event_name == 'schedule' && github.event.schedule || 'manual' }}
+  group: security-${{ github.event_name == 'issues' && format('issue-{0}', github.event.issue.number) || 'scheduled' }}
  cancel-in-progress: true

 jobs:
@ -47,15 +45,7 @@ jobs:
              REASON="triage"
            fi
          elif [ "${{ github.event_name }}" = "schedule" ]; then
-            # Distinguish between cron schedules by their cron string
-            CRON="${{ github.event.schedule }}"
-            if [ "$CRON" = "*/15 * * * *" ]; then
-              REASON="review_all"
-            elif [ "$CRON" = "5,35 * * * *" ]; then
-              REASON="schedule"
-            else
-              REASON="schedule"
-            fi
+            REASON="review_all"
            ISSUE_NUM=""
          elif [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
            MODE="${{ github.event.inputs.mode || 'review_all' }}"