mirror of
https://github.com/OpenRouterTeam/spawn.git
synced 2026-05-07 09:10:55 +00:00
15e2ca6caf
Simplify from 6 modes (Hexa-Mode) to 4 modes (Quad-Mode) by folding single-PR review and hygiene into a unified review_all mode that runs every 15 minutes. This removes the pull_request trigger entirely since review_all catches all open PRs on schedule, and absorbs staleness checks + branch cleanup into the same cycle. Remaining modes: team_building, triage, review_all, scan. Co-authored-by: Sprite <noreply@sprites.dev> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
96 lines
3.3 KiB
YAML
96 lines
3.3 KiB
YAML
name: Security Review
|
|
|
|
on:
|
|
issues:
|
|
types: [opened, reopened]
|
|
schedule:
|
|
# Batch PR security review + hygiene — every 15 min
|
|
- cron: '*/15 * * * *'
|
|
# Full repo security scan — every 30 min (offset +5)
|
|
- cron: '5,35 * * * *'
|
|
workflow_dispatch:
|
|
inputs:
|
|
mode:
|
|
description: 'Run mode: review_all (PR review + hygiene) or scan (repo audit)'
|
|
required: false
|
|
default: 'review_all'
|
|
type: choice
|
|
options:
|
|
- review_all
|
|
- scan
|
|
|
|
concurrency:
|
|
group: security-${{ github.event_name == 'issues' && format('issue-{0}', github.event.issue.number) || github.event_name == 'schedule' && github.event.schedule || 'manual' }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
review:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 40
|
|
steps:
|
|
- name: Trigger security review
|
|
env:
|
|
SPRITE_URL: ${{ secrets.SECURITY_SPRITE_URL }}
|
|
TRIGGER_SECRET: ${{ secrets.SECURITY_TRIGGER_SECRET }}
|
|
run: |
|
|
if [ -z "$SPRITE_URL" ] || [ -z "$TRIGGER_SECRET" ]; then
|
|
echo "Security review secrets not configured — skipping"
|
|
exit 0
|
|
fi
|
|
|
|
# Determine reason and issue number based on trigger type
|
|
if [ "${{ github.event_name }}" = "issues" ]; then
|
|
ISSUE_NUM="${{ github.event.issue.number }}"
|
|
if [ "${{ contains(github.event.issue.labels.*.name, 'team-building') }}" = "true" ]; then
|
|
REASON="team_building"
|
|
else
|
|
REASON="triage"
|
|
fi
|
|
elif [ "${{ github.event_name }}" = "schedule" ]; then
|
|
# Distinguish between cron schedules by their cron string
|
|
CRON="${{ github.event.schedule }}"
|
|
if [ "$CRON" = "*/15 * * * *" ]; then
|
|
REASON="review_all"
|
|
elif [ "$CRON" = "5,35 * * * *" ]; then
|
|
REASON="schedule"
|
|
else
|
|
REASON="schedule"
|
|
fi
|
|
ISSUE_NUM=""
|
|
elif [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
|
|
MODE="${{ github.event.inputs.mode || 'review_all' }}"
|
|
if [ "$MODE" = "review_all" ]; then
|
|
REASON="review_all"
|
|
else
|
|
REASON="schedule"
|
|
fi
|
|
ISSUE_NUM=""
|
|
else
|
|
REASON="schedule"
|
|
ISSUE_NUM=""
|
|
fi
|
|
|
|
echo "Mode: reason=$REASON, issue=$ISSUE_NUM"
|
|
|
|
set +e
|
|
# --fail-with-body: exit 22 on HTTP errors but still print the body
|
|
# -N: no output buffering (stream chunks in real-time)
|
|
# --max-time: hard cap matching the Sprite's cycle timeout + grace
|
|
curl -sSN --http1.1 --fail-with-body --max-time 2700 -X POST \
|
|
"${SPRITE_URL}/trigger?reason=${REASON}&issue=${ISSUE_NUM}" \
|
|
-H "Authorization: Bearer ${TRIGGER_SECRET}"
|
|
CURL_EXIT=$?
|
|
set -e
|
|
|
|
if [ "$CURL_EXIT" -eq 0 ]; then
|
|
echo ""
|
|
echo "=== Security review completed ==="
|
|
elif [ "$CURL_EXIT" -eq 22 ]; then
|
|
# HTTP error — body was already printed above (429 = already running, 409 = dedup, etc.)
|
|
echo ""
|
|
echo "=== Trigger returned HTTP error (see output above) ==="
|
|
else
|
|
echo ""
|
|
echo "=== curl failed (exit=$CURL_EXIT) ==="
|
|
exit 1
|
|
fi
|