Skip to content

ci: add Claude Code security review workflow for PRs to feature/darwin#49

Open
Sarath1018 wants to merge 2 commits into
feature/darwinfrom
chore/claude-code-security-review
Open

ci: add Claude Code security review workflow for PRs to feature/darwin#49
Sarath1018 wants to merge 2 commits into
feature/darwinfrom
chore/claude-code-security-review

Conversation

@Sarath1018

Copy link
Copy Markdown
Collaborator

Adds a pull_request-triggered GitHub Actions workflow that runs an automated, security-focused Claude Code review on PRs targeting feature/darwin.

Hardening per the CI/CD security checklist:

  • uses pull_request (not pull_request_target) so untrusted PR code never runs with secret access; forked PRs are skipped
  • least-privilege permissions (contents:read; pull-requests/issues:write)
  • auth via CLAUDE_CODE_OAUTH_TOKEN secret, no hardcoded credentials
  • no untrusted github.event.* values interpolated into run: steps

Description

[Provide a brief description of the changes in this PR]

How Has This Been Tested?

[Describe the tests you ran to verify your changes]

Backporting (check the box to trigger backport action)

Note: You have to check that the action passes, otherwise resolve the conflicts manually and tag the patches.

  • This PR should be backported (make sure to check that the backport attempt succeeds)
  • [Optional] Override Linear Check

Adds a pull_request-triggered GitHub Actions workflow that runs an
automated, security-focused Claude Code review on PRs targeting
feature/darwin.

Hardening per the CI/CD security checklist:
- uses pull_request (not pull_request_target) so untrusted PR code
  never runs with secret access; forked PRs are skipped
- least-privilege permissions (contents:read; pull-requests/issues:write)
- auth via CLAUDE_CODE_OAUTH_TOKEN secret, no hardcoded credentials
- no untrusted github.event.* values interpolated into run: steps

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Comment thread .github/workflows/claude-code-review.yml Fixed
Pin anthropics/claude-code-action to the v1 commit SHA so a re-tagged or
compromised tag can't silently change the action that runs with repo access.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants