vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-02 22:00:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9
spawn/.github/workflows/security.yml
L 0a0512652a
chore: reduce workflow cron frequencies (#1046) 
- discovery: every 30 min → every 3 days
- refactor: every 5 min → hourly
- security: every 5 min → every 30 min

Co-authored-by: Security Reviewer <security-reviewer@spawn.dev>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-02-13 18:55:40 -08:00

56 lines
2.1 KiB
YAML
Raw Blame History

name: Security Review
on:
issues:
types: [opened, reopened, labeled]
schedule:
- cron: '*/30 * * * *'
workflow_dispatch:
concurrency:
group: security-${{ github.event_name == 'issues' && format('issue-{0}', github.event.issue.number) || 'scheduled' }}
cancel-in-progress: false
jobs:
review:
runs-on: ubuntu-latest
timeout-minutes: 40
# Only trigger on issues with safe-to-work AND (team-building or security) labels, or schedule/manual
if: >-
github.event_name != 'issues' ||
(contains(github.event.issue.labels.*.name, 'safe-to-work') &&
(contains(github.event.issue.labels.*.name, 'team-building') ||
contains(github.event.issue.labels.*.name, 'security')))
steps:
- name: Trigger security review
env:
SPRITE_URL: ${{ secrets.SECURITY_SPRITE_URL }}
TRIGGER_SECRET: ${{ secrets.SECURITY_TRIGGER_SECRET }}
run: |
if [ -z "$SPRITE_URL" ] || [ -z "$TRIGGER_SECRET" ]; then
echo "Security review secrets not configured — skipping"
exit 0
fi
set +e
# --fail-with-body: exit 22 on HTTP errors but still print the body
# -N: no output buffering (stream chunks in real-time)
# --max-time: hard cap matching the Sprite's cycle timeout + grace
curl -sSN --http1.1 --fail-with-body --max-time 2700 -X POST \
"${SPRITE_URL}/trigger?reason=${{ github.event_name }}&issue=${{ github.event.issue.number || '' }}" \
-H "Authorization: Bearer ${TRIGGER_SECRET}"
CURL_EXIT=$?
set -e
if [ "$CURL_EXIT" -eq 0 ]; then
echo ""
echo "=== Security review completed ==="
elif [ "$CURL_EXIT" -eq 22 ]; then
# HTTP error — body was already printed above (429 = already running, 409 = dedup, etc.)
echo ""
echo "=== Trigger returned HTTP error (see output above) ==="
else
echo ""
echo "=== curl failed (exit=$CURL_EXIT) ==="
exit 1
fi
Reference in a new issue View git blame Copy permalink