From 51b77354cd0a59cd62177062a1ac0b0f03b6b108 Mon Sep 17 00:00:00 2001 From: Paul Duvall Date: Thu, 19 Mar 2026 16:43:32 -0400 Subject: [PATCH 1/2] fix(ci): allow dependabot bot in claude-code-review workflow The claude-code-action rejects PRs from non-human actors by default. Adding dependabot[bot] to allowed_bots fixes the failing check on Dependabot PRs like #10. --- .github/workflows/claude-code-review.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml index ecd27d0..ed77c96 100644 --- a/.github/workflows/claude-code-review.yml +++ b/.github/workflows/claude-code-review.yml @@ -36,10 +36,11 @@ jobs: uses: anthropics/claude-code-action@beta with: anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} - + allowed_bots: "dependabot[bot]" + # Optional: Specify model (defaults to Claude Sonnet 4, uncomment for Claude Opus 4) # model: "claude-opus-4-20250514" - + # Direct prompt for automated review (no @claude mention needed) direct_prompt: | Please review this pull request and provide feedback on: From 5bb9e2206b23ec1c87f52e960002b0ac0e5c8e1a Mon Sep 17 00:00:00 2001 From: Paul Duvall Date: Thu, 19 Mar 2026 17:06:06 -0400 Subject: [PATCH 2/2] fix(deps): upgrade black to 26.3.1 to fix arbitrary file write vulnerability Resolves Dependabot alert #10 - unsanitized --python-cell-magics input allowed cache files to be written to arbitrary filesystem locations. --- examples/spec-driven-development/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/spec-driven-development/requirements.txt b/examples/spec-driven-development/requirements.txt index f1687b4..ac21af5 100644 --- a/examples/spec-driven-development/requirements.txt +++ b/examples/spec-driven-development/requirements.txt @@ -6,7 +6,7 @@ pytest-cov==4.1.0 pytest-mock==3.12.0 # Code quality and formatting -black==24.3.0 +black==26.3.1 flake8==6.1.0 mypy==1.7.0