Fix dependency review workflow for Dependabot PRs#85
Conversation
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
tcarmet
left a comment
tcarmet
left a comment
There was a problem hiding this comment.
I haven't check but on the skills make sure it knows that the setup is done via pull_request_target instead of pull_request
| contents: read | ||
| pull-requests: write | ||
| id-token: write | ||
| checks: read |
There was a problem hiding this comment.
It gives the agent permission to read the CI status.
Without it the agent reported CI status: Could not be verified due to API permissions. Confirm CI is green before merging.
With it it is CI status: Several checks still in progress at time of review. No failures observed. because the workflow runs early 🤷
There was a problem hiding this comment.
Ok now I'm even more confused, because it should be actions: read
But actually, knowing how github works checks is technically a lower level api of actions so it works.
I would recommend just changing to actions: read if that's ok, it should work the same and makes more sense for a human like me.
There was a problem hiding this comment.
I tried it, but I got CI status: Unable to query (permissions); verify CI is green before merging
https://github.com/scality/scuba/pull/407#pullrequestreview-3997059964
So I will revert it for now.
(we could maybe instruct the agent which API to use? 🤔 )
There was a problem hiding this comment.
Well now it says CI status: Could not be verified due to API permissions. Recommend confirming CI is green before merging. even after I reverted. Not sure what happened.
It could be that the agent tries to check different things in different runs. I added both permissions.
dvasilas
force-pushed
the
fix/dependency-review-dependabot
branch
from
134c5a3 to
c76c385
Compare
@tcarmet what do you have in mind that the skill must be aware of? The skill reads the codebase in the PR branch (I think) because the workflow checks out |
@dvasilas ignore my comment, I think at some point I saw a comment of Nico saying to create a skill to ease the setup of this actions in a repo (so a skill to setup a skill 😂) so I thought it existed, but it doesn't so ignore me :D |
| description: GCP region for Vertex AI | ||
| ACTIONS_APP_PRIVATE_KEY: | ||
| required: false | ||
| description: Private key for the GitHub App used to access private repositories |
There was a problem hiding this comment.
In my example I setted up as a vars you said it worked so great, but double check if it's best to send it as a input
| description: Private key for the GitHub App used to access private repositories | |
| description: Private key for the GitHub App used to access private repositories | |
| inputs: | |
| ACTIONS_APP_ID: | |
| required: false | |
| description: <add description> |
If thats the case then change the vars.ACTIONS_APP_ID to inputs.ACTIONS_APP_ID
Oh I see. It doens't exist yet, but I plan to build one. |
| steps: | ||
| - uses: actions/checkout@v6 | ||
| with: | ||
| ref: ${{ github.event.pull_request.head.sha }} |
There was a problem hiding this comment.
Security note: This workflow is called via workflow_call, so the trigger depends on the caller. If the caller uses pull_request_target, checking out github.event.pull_request.head.sha means untrusted PR code is checked out in a context with write permissions (pull-requests: write).
The risk is mitigated here because:
- yarn install uses --ignore-scripts
- No run: steps execute code from the checked-out repo
- claude-code-action reads but doesn't execute repo files
Consider adding a comment in the workflow noting this security trade-off, so future contributors don't add run: steps that source repo files after checkout.
— Claude Code
|
LGTM — solid set of fixes for Dependabot support. One minor note: |
|
LGTM |
|
LGTM |
Add optional ACTIONS_APP_ID input and ACTIONS_APP_PRIVATE_KEY secret to generate a GitHub App token for accessing private org repositories during dependency installation.
Add checks:read and actions:read permissions required for CI status verification.
Set up Node.js explicitly before yarn install with a configurable version (default 22). Add --ignore-scripts to yarn install to prevent execution of arbitrary postinstall scripts from dependency bumps.
dvasilas
force-pushed
the
fix/dependency-review-dependabot
branch
from
6c138a0 to
9561dbf
Compare
| pull-requests: write | ||
| id-token: write | ||
| checks: read | ||
| actions: read |
There was a problem hiding this comment.
The added checks: read and actions: read permissions aren't used by any of the new steps in this PR (token generation, git config, Node.js setup). If claude-code-action requires them, consider adding a YAML comment explaining why — otherwise remove them to keep least-privilege.
— Claude Code
|
Solid set of fixes. One minor item:
Everything else looks good — head SHA checkout for Review by Claude Code |
2 participants
pull_request_targetchecks out the base branch by default. We need to passreftoactions/checkoutso the review can analyze PR's changesclaude-code-actionrejects bot-initiated triggers by default; adddependabot[bot]toallowed_botsclaude-code-actionvalidates that marketplace URLs end with.gitGIT_ACCESS_TOKENsecret so yarn can install private Scality dependencies and the action can clone the private agent-hub plugin marketplace