vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-04-28 03:49:31 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10
spawn/.github/workflows/security.yml
Ahmed Abushagur 21eb1bf6e0
fix(agent-team): cut token spend — reduce cron frequency + downgrade team-lead to Sonnet (#3310) 
Two high-impact, zero-risk changes to get daily agent team spend under $50:

1. Reduce cron frequency:
   - Security: */30 → every 4 hours (48→6 cycles/day, 87% reduction)
   - Refactor: */15 → every 2 hours (96→12 cycles/day, 87% reduction)

   Most cycles find nothing to do (no new PRs/issues). Issue-triggered runs
   (on labeled issues) still fire instantly via the `issues` event type,
   so response time to real work is unchanged. The trigger-server already
   returns 409 when a cycle is in-progress, so high cron frequency was just
   idle-polling cost.

2. Downgrade team-lead model from Opus to Sonnet:
   - Security: --model sonnet for review_all and scan modes (triage was
     already using gemini-3-flash-preview)
   - Refactor: --model sonnet

   The team lead's job is coordination — spawn teammates, monitor them,
   shut down. This is routing, not reasoning. Sonnet handles it fine and
   its output tokens are ~5x cheaper than Opus. Teammates (spawned by the
   lead) use their own model flags and are unaffected.

Combined effect: ~90% fewer cycles × ~80% cheaper per cycle on the team
lead = estimated 95%+ cost reduction on team-lead tokens alone.

Follow-up PR will trim prompt sizes (Phase 2) and consolidate security
teammates (Phase 3) per the plan, but this Phase 1 closes most of the gap.

Co-authored-by: L <6723574+louisgv@users.noreply.github.com>
2026-04-16 00:06:56 -07:00

33 lines
1.1 KiB
YAML
Raw Blame History

name: Security Review
on:
issues:
types: [opened, reopened, labeled]
schedule:
- cron: '0 */4 * * *'
workflow_dispatch:
jobs:
review:
runs-on: ubuntu-latest
timeout-minutes: 5
# Only trigger on issues with safe-to-work AND (team-building or security) labels, or schedule/manual
if: >-
github.event_name != 'issues' ||
(contains(github.event.issue.labels.*.name, 'safe-to-work') &&
(contains(github.event.issue.labels.*.name, 'team-building') ||
contains(github.event.issue.labels.*.name, 'security')))
steps:
- name: Trigger security review
env:
SPRITE_URL: ${{ secrets.SECURITY_SPRITE_URL }}
TRIGGER_SECRET: ${{ secrets.SECURITY_TRIGGER_SECRET }}
run: |
if [ -z "$SPRITE_URL" ] || [ -z "$TRIGGER_SECRET" ]; then
echo "Security review secrets not configured — skipping"
exit 0
fi
curl -sS --fail-with-body -X POST \
"${SPRITE_URL}/trigger?reason=${{ github.event_name }}&issue=${{ github.event.issue.number || '' }}" \
-H "Authorization: Bearer ${TRIGGER_SECRET}"
Reference in a new issue View git blame Copy permalink