From 92d061226c24286049063c79a54ec52d10035d1b Mon Sep 17 00:00:00 2001
From: Dimitrios Vasilas <dimitrios.vasilas@scality.com>
Date: Tue, 31 Mar 2026 10:19:15 +0300
Subject: [PATCH 1/6] fix: allow Dependabot as bot actor in dependency review

---
 .github/workflows/claude-code-dependency-review.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/claude-code-dependency-review.yml b/.github/workflows/claude-code-dependency-review.yml
index 45ed9ed..48ea5a3 100644
--- a/.github/workflows/claude-code-dependency-review.yml
+++ b/.github/workflows/claude-code-dependency-review.yml
@@ -53,6 +53,7 @@ jobs:
         with:
           github_token: ${{ github.token }}
           use_vertex: "true"
+          allowed_bots: "dependabot[bot]"
           plugin_marketplaces: https://github.com/scality/agent-hub
           plugins: scality-skills@scality-agent-hub
           prompt: "/review-dependency-bump REPO: ${{ github.repository }} PR_NUMBER: ${{ github.event.pull_request.number }}"

From b9371149c36a97f4e850410a0b20527e23356987 Mon Sep 17 00:00:00 2001
From: Dimitrios Vasilas <dimitrios.vasilas@scality.com>
Date: Tue, 31 Mar 2026 10:20:05 +0300
Subject: [PATCH 2/6] fix: add .git suffix to marketplace URL

---
 .github/workflows/claude-code-dependency-review.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/claude-code-dependency-review.yml b/.github/workflows/claude-code-dependency-review.yml
index 48ea5a3..395b51f 100644
--- a/.github/workflows/claude-code-dependency-review.yml
+++ b/.github/workflows/claude-code-dependency-review.yml
@@ -54,7 +54,7 @@ jobs:
           github_token: ${{ github.token }}
           use_vertex: "true"
           allowed_bots: "dependabot[bot]"
-          plugin_marketplaces: https://github.com/scality/agent-hub
+          plugin_marketplaces: https://github.com/scality/agent-hub.git
           plugins: scality-skills@scality-agent-hub
           prompt: "/review-dependency-bump REPO: ${{ github.repository }} PR_NUMBER: ${{ github.event.pull_request.number }}"
           claude_args: |

From f2c295305c8393b2c79b2150a29f6820aa75d13b Mon Sep 17 00:00:00 2001
From: Dimitrios Vasilas <dimitrios.vasilas@scality.com>
Date: Tue, 31 Mar 2026 10:21:06 +0300
Subject: [PATCH 3/6] fix: checkout PR head commit

---
 .github/workflows/claude-code-dependency-review.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/claude-code-dependency-review.yml b/.github/workflows/claude-code-dependency-review.yml
index 395b51f..4ccc874 100644
--- a/.github/workflows/claude-code-dependency-review.yml
+++ b/.github/workflows/claude-code-dependency-review.yml
@@ -28,6 +28,7 @@ jobs:
     steps:
       - uses: actions/checkout@v6
         with:
+          ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 1
 
       - name: Install dependencies

From 39c28eaf7e4a40f402c8a539f3615fdc72ab4bc9 Mon Sep 17 00:00:00 2001
From: Dimitrios Vasilas <dimitrios.vasilas@scality.com>
Date: Tue, 31 Mar 2026 10:25:53 +0300
Subject: [PATCH 4/6] feat: support private repository dependencies via GitHub
 App

Add optional ACTIONS_APP_ID input and ACTIONS_APP_PRIVATE_KEY secret
to generate a GitHub App token for accessing private org repositories
during dependency installation.
---
 .../claude-code-dependency-review.yml         | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/.github/workflows/claude-code-dependency-review.yml b/.github/workflows/claude-code-dependency-review.yml
index 4ccc874..c17a026 100644
--- a/.github/workflows/claude-code-dependency-review.yml
+++ b/.github/workflows/claude-code-dependency-review.yml
@@ -15,6 +15,14 @@ on:
       CLOUD_ML_REGION:
         required: true
         description: GCP region for Vertex AI
+      ACTIONS_APP_PRIVATE_KEY:
+        required: false
+        description: Private key for the GitHub App used to access private repositories
+    inputs:
+      ACTIONS_APP_ID:
+        required: false
+        type: string
+        description: App ID for the GitHub App used to access private repositories
 
 jobs:
   dependency-review:
@@ -31,6 +39,22 @@ jobs:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 1
 
+      - name: Generate token for private repositories
+        if: inputs.ACTIONS_APP_ID != ''
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ inputs.ACTIONS_APP_ID }}
+          private-key: ${{ secrets.ACTIONS_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+
+      - name: Configure git for private repositories
+        if: steps.app-token.outputs.token != ''
+        run: |
+          git config --global url."https://x-access-token:${GIT_ACCESS_TOKEN}@github.com/".insteadOf "https://github.com/"
+        env:
+          GIT_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
+
       - name: Install dependencies
         id: install-deps
         if: hashFiles('yarn.lock') != ''

From 65ddf5a7661b78994973680316bfdf16edf03986 Mon Sep 17 00:00:00 2001
From: Dimitrios Vasilas <dimitrios.vasilas@scality.com>
Date: Tue, 31 Mar 2026 10:31:26 +0300
Subject: [PATCH 5/6] feat: Add permissions for CI status verification

Add checks:read and actions:read permissions required for
CI status verification.
---
 .github/workflows/claude-code-dependency-review.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/claude-code-dependency-review.yml b/.github/workflows/claude-code-dependency-review.yml
index c17a026..d3c21fb 100644
--- a/.github/workflows/claude-code-dependency-review.yml
+++ b/.github/workflows/claude-code-dependency-review.yml
@@ -32,6 +32,8 @@ jobs:
       contents: read
       pull-requests: write
       id-token: write
+      checks: read
+      actions: read
 
     steps:
       - uses: actions/checkout@v6

From 9561dbfa146fcb33dad018ef19c76963421f3968 Mon Sep 17 00:00:00 2001
From: Dimitrios Vasilas <dimitrios.vasilas@scality.com>
Date: Tue, 31 Mar 2026 10:32:21 +0300
Subject: [PATCH 6/6] fix: add Node.js setup and harden yarn install

Set up Node.js explicitly before yarn install with a configurable
version (default 22). Add --ignore-scripts to yarn install to prevent
execution of arbitrary postinstall scripts from dependency bumps.
---
 .github/workflows/claude-code-dependency-review.yml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/claude-code-dependency-review.yml b/.github/workflows/claude-code-dependency-review.yml
index d3c21fb..d43480a 100644
--- a/.github/workflows/claude-code-dependency-review.yml
+++ b/.github/workflows/claude-code-dependency-review.yml
@@ -23,6 +23,11 @@ on:
         required: false
         type: string
         description: App ID for the GitHub App used to access private repositories
+      node-version:
+        required: false
+        type: string
+        default: '22'
+        description: Node.js version to use for dependency installation
 
 jobs:
   dependency-review:
@@ -57,11 +62,17 @@ jobs:
         env:
           GIT_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
 
+      - name: Set up Node.js
+        if: hashFiles('yarn.lock') != ''
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ inputs.node-version }}
+
       - name: Install dependencies
         id: install-deps
         if: hashFiles('yarn.lock') != ''
         continue-on-error: true
-        run: yarn install --frozen-lockfile
+        run: yarn install --frozen-lockfile --ignore-scripts
 
       - name: Warn on failed dependency install
         if: steps.install-deps.outcome == 'failure'