sentry-javascript/.github/workflows/fix-security-vulnerability.yml at f8700734ebcc825d3402e04f90834a1ef69c68bc · getsentry/sentry-javascript · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
name: Fix Security Vulnerability

on:
  workflow_dispatch:
    inputs:
      alert:
        description:
          'Dependabot alert number or URL (e.g. 1046 or
          https://github.com/getsentry/sentry-javascript/security/dependabot/1046)'
        required: true

concurrency:
  group: fix-security-vuln-${{ github.event.inputs.alert }}
  cancel-in-progress: false

jobs:
  fix-vulnerability:
    runs-on: ubuntu-latest
    environment: ci-triage
    permissions:
      contents: write
      pull-requests: write
      security-events: read
      issues: write
      id-token: write
    steps:
      - uses: actions/checkout@v6
        with:
          ref: develop

      - name: Extract alert number
        id: alert
        run: |
          INPUT="${{ github.event.inputs.alert }}"
          RAW="${INPUT##*/}"
          NUMBER="${RAW%%\?*}"
          if ! [[ "$NUMBER" =~ ^[0-9]+$ ]]; then
            echo "Error: Could not extract a valid numeric alert ID from input: $INPUT"
            exit 1
          fi
          echo "number=$NUMBER" >> "$GITHUB_OUTPUT"

      - uses: anthropics/claude-code-action@v1
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          prompt: |
            YOUR FIRST ACTION - run this exact command before anything else:
            gh api repos/getsentry/sentry-javascript/dependabot/alerts/${{ steps.alert.outputs.number }}

            Then use the output to follow the skill instructions below.

            /fix-security-vulnerability ${{ github.event.inputs.alert }}

            IMPORTANT: Do NOT dismiss any alerts. Do NOT wait for approval.
            Your allowed tools are narrowly scoped - only the exact command patterns listed will be permitted.

            If you can fix the vulnerability:
              Create a branch named fix/security-<alert-number>, apply the fix, and open a PR with your analysis
              in the PR description. Target the develop branch.

            If you determine the alert should NOT be fixed:
              Do NOT dismiss the alert. Instead, open a GitHub issue with:
              - Title: "Security: Dismiss Dependabot alert #<number> - <package-name>"
              - Label: "Security"
              - Body: Include the full vulnerability details, your analysis,
                the recommended dismissal reason, and why the alert cannot/should not be fixed.
          model: claude-opus-4-6
          claude_args: |
            --max-turns 20 --allowedTools "Bash(gh api *repos/getsentry/sentry-javascript/dependabot/alerts/*),Bash(gh pr create *),Bash(gh issue create *),Bash(yarn why *),Bash(yarn install*),Bash(yarn dedupe-deps:*),Bash(npm view *),Bash(git checkout *),Bash(git add *),Bash(git commit *),Edit,Write"