mirror of
https://github.com/OpenRouterTeam/spawn.git
synced 2026-05-08 10:09:30 +00:00
f69f95c7c7
Move mode-detection logic from the GitHub Actions workflow into security.sh where it belongs. The workflow now passes github.event_name directly as the reason parameter (like discovery.yml and refactor.yml), and security.sh uses `gh issue view` to check labels when reason=issues. - Remove 25-line if/elif/else reason-mapping block from security.yml - Remove workflow_dispatch mode input (server-side handles it) - Add `if:` label guard for issues (safe-to-work + team-building/security) - Add `labeled` to issue trigger types - Set cancel-in-progress: false (prevents killing long review_all runs) - Bump cron to */5 - Handle schedule/workflow_dispatch → review_all in security.sh - Keep backwards compat for direct team_building/triage reasons Co-authored-by: Security Reviewer <security-reviewer@spawn.dev> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
56 lines
2.1 KiB
YAML
56 lines
2.1 KiB
YAML
name: Security Review
|
|
|
|
on:
|
|
issues:
|
|
types: [opened, reopened, labeled]
|
|
schedule:
|
|
- cron: '*/5 * * * *'
|
|
workflow_dispatch:
|
|
|
|
concurrency:
|
|
group: security-${{ github.event_name == 'issues' && format('issue-{0}', github.event.issue.number) || 'scheduled' }}
|
|
cancel-in-progress: false
|
|
|
|
jobs:
|
|
review:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 40
|
|
# Only trigger on issues with safe-to-work AND (team-building or security) labels, or schedule/manual
|
|
if: >-
|
|
github.event_name != 'issues' ||
|
|
(contains(github.event.issue.labels.*.name, 'safe-to-work') &&
|
|
(contains(github.event.issue.labels.*.name, 'team-building') ||
|
|
contains(github.event.issue.labels.*.name, 'security')))
|
|
steps:
|
|
- name: Trigger security review
|
|
env:
|
|
SPRITE_URL: ${{ secrets.SECURITY_SPRITE_URL }}
|
|
TRIGGER_SECRET: ${{ secrets.SECURITY_TRIGGER_SECRET }}
|
|
run: |
|
|
if [ -z "$SPRITE_URL" ] || [ -z "$TRIGGER_SECRET" ]; then
|
|
echo "Security review secrets not configured — skipping"
|
|
exit 0
|
|
fi
|
|
|
|
set +e
|
|
# --fail-with-body: exit 22 on HTTP errors but still print the body
|
|
# -N: no output buffering (stream chunks in real-time)
|
|
# --max-time: hard cap matching the Sprite's cycle timeout + grace
|
|
curl -sSN --http1.1 --fail-with-body --max-time 2700 -X POST \
|
|
"${SPRITE_URL}/trigger?reason=${{ github.event_name }}&issue=${{ github.event.issue.number || '' }}" \
|
|
-H "Authorization: Bearer ${TRIGGER_SECRET}"
|
|
CURL_EXIT=$?
|
|
set -e
|
|
|
|
if [ "$CURL_EXIT" -eq 0 ]; then
|
|
echo ""
|
|
echo "=== Security review completed ==="
|
|
elif [ "$CURL_EXIT" -eq 22 ]; then
|
|
# HTTP error — body was already printed above (429 = already running, 409 = dedup, etc.)
|
|
echo ""
|
|
echo "=== Trigger returned HTTP error (see output above) ==="
|
|
else
|
|
echo ""
|
|
echo "=== curl failed (exit=$CURL_EXIT) ==="
|
|
exit 1
|
|
fi
|