name: Security Review on: issues: types: [opened, reopened, labeled] schedule: - cron: '*/5 * * * *' workflow_dispatch: concurrency: group: security-${{ github.event_name == 'issues' && format('issue-{0}', github.event.issue.number) || 'scheduled' }} cancel-in-progress: false jobs: review: runs-on: ubuntu-latest timeout-minutes: 40 # Only trigger on issues with safe-to-work AND (team-building or security) labels, or schedule/manual if: >- github.event_name != 'issues' || (contains(github.event.issue.labels.*.name, 'safe-to-work') && (contains(github.event.issue.labels.*.name, 'team-building') || contains(github.event.issue.labels.*.name, 'security'))) steps: - name: Trigger security review env: SPRITE_URL: ${{ secrets.SECURITY_SPRITE_URL }} TRIGGER_SECRET: ${{ secrets.SECURITY_TRIGGER_SECRET }} run: | if [ -z "$SPRITE_URL" ] || [ -z "$TRIGGER_SECRET" ]; then echo "Security review secrets not configured — skipping" exit 0 fi set +e # --fail-with-body: exit 22 on HTTP errors but still print the body # -N: no output buffering (stream chunks in real-time) # --max-time: hard cap matching the Sprite's cycle timeout + grace curl -sSN --http1.1 --fail-with-body --max-time 2700 -X POST \ "${SPRITE_URL}/trigger?reason=${{ github.event_name }}&issue=${{ github.event.issue.number || '' }}" \ -H "Authorization: Bearer ${TRIGGER_SECRET}" CURL_EXIT=$? set -e if [ "$CURL_EXIT" -eq 0 ]; then echo "" echo "=== Security review completed ===" elif [ "$CURL_EXIT" -eq 22 ]; then # HTTP error — body was already printed above (429 = already running, 409 = dedup, etc.) echo "" echo "=== Trigger returned HTTP error (see output above) ===" else echo "" echo "=== curl failed (exit=$CURL_EXIT) ===" exit 1 fi