vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-11 21:40:48 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7
spawn/.github/workflows/security.yml
L f3cfe890f7
refactor: simplify trigger server to fire-and-forget + fix monitoring loop prompts (#1384) 
The trigger server streamed script stdout back to GitHub Actions via a
long-lived HTTP response, requiring --http1.1, heartbeat injection,
server.timeout(req, 0), createEnqueuer, drainStreamOutput, and 90-min
GH Actions timeouts. In practice GitHub Actions is just a dumb trigger
— the real state lives on the VM (log files, journalctl). Simplify to
fire-and-forget: spawn script, return 200 JSON immediately.

Also fix the refactor and discovery team lead monitoring loops. The
prompts buried the loop in a single compressed line that the model
ignored (doing Bash("sleep 10") repeatedly without calling TaskList).
Replace with a dedicated "Monitor Loop (CRITICAL)" section with numbered
steps, matching the security.sh pattern that actually works.

Changes:
- trigger-server.ts: remove ~150 lines of streaming code (createEnqueuer,
  drainStreamOutput, startStreamingRun, heartbeat, ReadableStream),
  replace with startFireAndForgetRun (stdout: "inherit", immediate JSON)
- All 4 workflows: simple curl POST, timeout-minutes 90→5, remove
  --http1.1/-N/--max-time/exit-code handling
- refactor.sh: add Monitor Loop (CRITICAL) section with numbered steps
- discovery-team-prompt.txt: same Monitor Loop fix
- SKILL.md: update architecture docs, remove streaming sections

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-02-17 10:47:52 -05:00

37 lines
1.3 KiB
YAML
Raw Blame History

name: Security Review
on:
issues:
types: [opened, reopened, labeled]
schedule:
- cron: '*/30 * * * *'
workflow_dispatch:
concurrency:
group: security-${{ github.event_name == 'issues' && format('issue-{0}', github.event.issue.number) || 'scheduled' }}
cancel-in-progress: false
jobs:
review:
runs-on: ubuntu-latest
timeout-minutes: 5
# Only trigger on issues with safe-to-work AND (team-building or security) labels, or schedule/manual
if: >-
github.event_name != 'issues' ||
(contains(github.event.issue.labels.*.name, 'safe-to-work') &&
(contains(github.event.issue.labels.*.name, 'team-building') ||
contains(github.event.issue.labels.*.name, 'security')))
steps:
- name: Trigger security review
env:
SPRITE_URL: ${{ secrets.SECURITY_SPRITE_URL }}
TRIGGER_SECRET: ${{ secrets.SECURITY_TRIGGER_SECRET }}
run: |
if [ -z "$SPRITE_URL" ] || [ -z "$TRIGGER_SECRET" ]; then
echo "Security review secrets not configured — skipping"
exit 0
fi
curl -sS --fail-with-body -X POST \
"${SPRITE_URL}/trigger?reason=${{ github.event_name }}&issue=${{ github.event.issue.number || '' }}" \
-H "Authorization: Bearer ${TRIGGER_SECRET}"
Reference in a new issue View git blame Copy permalink