-
-
Notifications
You must be signed in to change notification settings - Fork 1.8k
49 lines (42 loc) · 1.88 KB
/
fix-security-vulnerability.yml
File metadata and controls
49 lines (42 loc) · 1.88 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
name: Fix Security Vulnerability
on:
workflow_dispatch:
inputs:
alert:
description:
'Dependabot alert number or URL (e.g. 1046 or
https://github.com/getsentry/sentry-javascript/security/dependabot/1046)'
required: true
concurrency:
group: fix-security-vuln-${{ github.event.inputs.alert }}
cancel-in-progress: false
jobs:
fix-vulnerability:
runs-on: ubuntu-latest
environment: ci-triage
permissions:
contents: write
pull-requests: write
security-events: read
issues: write
steps:
- uses: actions/checkout@v4
with:
ref: develop
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt: |
/fix-security-vulnerability ${{ github.event.inputs.alert }}
IMPORTANT: Do NOT dismiss any alerts. Do NOT wait for approval.
If you can fix the vulnerability:
Create a branch named fix/security-<alert-number>, apply the fix, and open a PR with your analysis
in the PR description. Target the develop branch.
If you determine the alert should NOT be fixed:
Do NOT dismiss the alert. Instead, open a GitHub issue with:
- Title: "Security: Dismiss Dependabot alert #<number> - <package-name>"
- Label: "Security"
- Body: Include the full vulnerability details, your analysis,
the recommended dismissal reason, and why the alert cannot/should not be fixed.
claude_args: |
--max-turns 20 --allowedTools "Bash(gh api repos/getsentry/sentry-javascript/dependabot/alerts/*),Bash(gh pr create *),Bash(gh issue create *),Bash(yarn why *),Bash(yarn install*),Bash(yarn dedupe-deps:*),Bash(npm view *),Bash(git checkout *),Bash(git add *),Bash(git commit *),Edit,Write"