mirror of
https://github.com/OpenRouterTeam/spawn.git
synced 2026-05-01 21:30:21 +00:00
56c4c020d5
The two scheduled modes (review_all every 15 min, scan every 30 min) competed for MAX_CONCURRENT=1 on the trigger server, causing 429 drops and 30-55+ min gaps. Merge both into a single cycle that runs every 20 min, prioritizing PR review but also performing lightweight repo scanning when capacity allows (≤5 open PRs). Also prevents refactor agents from closing issues manually — issues now auto-close via `Fixes #N` in the PR body when merged. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
86 lines
2.9 KiB
YAML
86 lines
2.9 KiB
YAML
name: Security Review
|
|
|
|
on:
|
|
issues:
|
|
types: [opened, reopened]
|
|
schedule:
|
|
# Consolidated review + scan — every 20 min
|
|
- cron: '*/20 * * * *'
|
|
workflow_dispatch:
|
|
inputs:
|
|
mode:
|
|
description: 'Run mode: review_all (PR review + hygiene) or scan (repo audit)'
|
|
required: false
|
|
default: 'review_all'
|
|
type: choice
|
|
options:
|
|
- review_all
|
|
- scan
|
|
|
|
concurrency:
|
|
group: security-${{ github.event_name == 'issues' && format('issue-{0}', github.event.issue.number) || 'scheduled' }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
review:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 40
|
|
steps:
|
|
- name: Trigger security review
|
|
env:
|
|
SPRITE_URL: ${{ secrets.SECURITY_SPRITE_URL }}
|
|
TRIGGER_SECRET: ${{ secrets.SECURITY_TRIGGER_SECRET }}
|
|
run: |
|
|
if [ -z "$SPRITE_URL" ] || [ -z "$TRIGGER_SECRET" ]; then
|
|
echo "Security review secrets not configured — skipping"
|
|
exit 0
|
|
fi
|
|
|
|
# Determine reason and issue number based on trigger type
|
|
if [ "${{ github.event_name }}" = "issues" ]; then
|
|
ISSUE_NUM="${{ github.event.issue.number }}"
|
|
if [ "${{ contains(github.event.issue.labels.*.name, 'team-building') }}" = "true" ]; then
|
|
REASON="team_building"
|
|
else
|
|
REASON="triage"
|
|
fi
|
|
elif [ "${{ github.event_name }}" = "schedule" ]; then
|
|
REASON="review_all"
|
|
ISSUE_NUM=""
|
|
elif [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
|
|
MODE="${{ github.event.inputs.mode || 'review_all' }}"
|
|
if [ "$MODE" = "review_all" ]; then
|
|
REASON="review_all"
|
|
else
|
|
REASON="schedule"
|
|
fi
|
|
ISSUE_NUM=""
|
|
else
|
|
REASON="schedule"
|
|
ISSUE_NUM=""
|
|
fi
|
|
|
|
echo "Mode: reason=$REASON, issue=$ISSUE_NUM"
|
|
|
|
set +e
|
|
# --fail-with-body: exit 22 on HTTP errors but still print the body
|
|
# -N: no output buffering (stream chunks in real-time)
|
|
# --max-time: hard cap matching the Sprite's cycle timeout + grace
|
|
curl -sSN --http1.1 --fail-with-body --max-time 2700 -X POST \
|
|
"${SPRITE_URL}/trigger?reason=${REASON}&issue=${ISSUE_NUM}" \
|
|
-H "Authorization: Bearer ${TRIGGER_SECRET}"
|
|
CURL_EXIT=$?
|
|
set -e
|
|
|
|
if [ "$CURL_EXIT" -eq 0 ]; then
|
|
echo ""
|
|
echo "=== Security review completed ==="
|
|
elif [ "$CURL_EXIT" -eq 22 ]; then
|
|
# HTTP error — body was already printed above (429 = already running, 409 = dedup, etc.)
|
|
echo ""
|
|
echo "=== Trigger returned HTTP error (see output above) ==="
|
|
else
|
|
echo ""
|
|
echo "=== curl failed (exit=$CURL_EXIT) ==="
|
|
exit 1
|
|
fi
|