name: Security Review

on:
  issues:
    types: [opened, reopened, labeled]
  schedule:
    - cron: '*/30 * * * *'
  workflow_dispatch:

jobs:
  review:
    runs-on: ubuntu-latest
    timeout-minutes: 5
    # Only trigger on issues with safe-to-work AND (team-building or security) labels, or schedule/manual
    if: >-
      github.event_name != 'issues' ||
      (contains(github.event.issue.labels.*.name, 'safe-to-work') &&
       (contains(github.event.issue.labels.*.name, 'team-building') ||
        contains(github.event.issue.labels.*.name, 'security')))
    steps:
      - name: Trigger security review
        env:
          SPRITE_URL: ${{ secrets.SECURITY_SPRITE_URL }}
          TRIGGER_SECRET: ${{ secrets.SECURITY_TRIGGER_SECRET }}
        run: |
          if [ -z "$SPRITE_URL" ] || [ -z "$TRIGGER_SECRET" ]; then
            echo "Security review secrets not configured — skipping"
            exit 0
          fi

          curl -sS --fail-with-body -X POST \
            "${SPRITE_URL}/trigger?reason=${{ github.event_name }}&issue=${{ github.event.issue.number || '' }}" \
            -H "Authorization: Bearer ${TRIGGER_SECRET}"