vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-04-29 12:29:31 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7
spawn/.github/workflows/security.yml
L 4924a7d5db
feat: add security triage gate for issue safety before agent processing (#734) 
New issues are triaged by the security team before other workflows can
act on them. The triage agent checks for prompt injection, social
engineering, spam, and unsafe payloads — marking safe issues with
`safe-to-work`, closing malicious ones, or flagging unclear ones for
human review. Discovery and refactor workflows now require the
`safe-to-work` label in addition to their existing label requirements.

Co-authored-by: Sprite <noreply@sprites.dev>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-02-12 14:23:33 -08:00

107 lines
3.9 KiB
YAML
Raw Blame History

name: Security Review
on:
pull_request:
types: [opened, synchronize, reopened]
issues:
types: [opened, reopened]
schedule:
# Full repo security scan — daily at 06:00 UTC
- cron: '0 6 * * *'
# PR hygiene (stale PR cleanup) — every 6 hours
- cron: '0 */6 * * *'
workflow_dispatch:
inputs:
mode:
description: 'Run mode: pr (needs PR number), hygiene, or scan'
required: false
default: 'scan'
type: choice
options:
- scan
- hygiene
pr_number:
description: 'PR number (only for pr mode via workflow_dispatch)'
required: false
type: string
concurrency:
group: security-${{ github.event_name == 'pull_request' && format('pr-{0}', github.event.pull_request.number) || github.event_name == 'issues' && format('issue-{0}', github.event.issue.number) || github.event_name == 'schedule' && github.event.schedule || 'manual' }}
cancel-in-progress: true
jobs:
review:
runs-on: ubuntu-latest
timeout-minutes: 30
# Trigger on ALL issues (triage or team-building) plus PR/schedule/manual
steps:
- name: Trigger security review
env:
SPRITE_URL: ${{ secrets.SECURITY_SPRITE_URL }}
TRIGGER_SECRET: ${{ secrets.SECURITY_TRIGGER_SECRET }}
run: |
if [ -z "$SPRITE_URL" ] || [ -z "$TRIGGER_SECRET" ]; then
echo "Security review secrets not configured — skipping"
exit 0
fi
# Determine reason and issue/PR number based on trigger type
if [ "${{ github.event_name }}" = "pull_request" ]; then
REASON="pull_request"
ISSUE_NUM="${{ github.event.pull_request.number }}"
elif [ "${{ github.event_name }}" = "issues" ]; then
ISSUE_NUM="${{ github.event.issue.number }}"
if [ "${{ contains(github.event.issue.labels.*.name, 'team-building') }}" = "true" ]; then
REASON="team_building"
else
REASON="triage"
fi
elif [ "${{ github.event_name }}" = "schedule" ]; then
# Distinguish between cron schedules:
# '0 6 * * *' = daily scan, '0 */6 * * *' = hygiene every 6h
CRON="${{ github.event.schedule }}"
if [ "$CRON" = "0 6 * * *" ]; then
REASON="schedule"
else
REASON="hygiene"
fi
ISSUE_NUM=""
elif [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
MODE="${{ github.event.inputs.mode || 'scan' }}"
ISSUE_NUM="${{ github.event.inputs.pr_number || '' }}"
if [ -n "$ISSUE_NUM" ]; then
REASON="pull_request"
elif [ "$MODE" = "hygiene" ]; then
REASON="hygiene"
else
REASON="schedule"
fi
else
REASON="schedule"
ISSUE_NUM=""
fi
echo "Mode: reason=$REASON, issue=$ISSUE_NUM"
set +e
# --fail-with-body: exit 22 on HTTP errors but still print the body
# -N: no output buffering (stream chunks in real-time)
# --max-time: hard cap matching the Sprite's cycle timeout + grace
curl -sSN --http1.1 --fail-with-body --max-time 2700 -X POST \
"${SPRITE_URL}/trigger?reason=${REASON}&issue=${ISSUE_NUM}" \
-H "Authorization: Bearer ${TRIGGER_SECRET}"
CURL_EXIT=$?
set -e
if [ "$CURL_EXIT" -eq 0 ]; then
echo ""
echo "=== Security review completed ==="
elif [ "$CURL_EXIT" -eq 22 ]; then
# HTTP error — body was already printed above (429 = already running, 409 = dedup, etc.)
echo ""
echo "=== Trigger returned HTTP error (see output above) ==="
else
echo ""
echo "=== curl failed (exit=$CURL_EXIT) ==="
exit 1
fi
Reference in a new issue View git blame Copy permalink