Skip to content

Fix dependency review workflow for Dependabot PRs #85

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dvasilas wants to merge 14 commits into
base: main
Choose a base branch
from
Open

Fix dependency review workflow for Dependabot PRs #85

Changes from 11 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
ab4b22e
fix: Checkout PR head commit in dependency review
dvasilas Mar 20, 2026
defab3f
fix: Allow Dependabot as bot actor in dependency review
dvasilas Mar 20, 2026
2838ffb
fix: Add .git suffix to plugin marketplace URL
dvasilas Mar 20, 2026
7e4a433
fix: Configure git credentials for private org repositories
dvasilas Mar 20, 2026
5a57ee0
fix: Scope GIT_ACCESS_TOKEN to only the steps that need it
dvasilas Mar 20, 2026
39f501f
fix: Harden dependency review against untrusted PR code
dvasilas Mar 20, 2026
f962f44
Revert "fix: use --local git config"
dvasilas Mar 20, 2026
e61c4f4
fix: Add checks:read permission for CI status verification
dvasilas Mar 20, 2026
c76c385
fix: Replace GIT_ACCESS_TOKEN with GitHub App token
dvasilas Mar 23, 2026
d037037
fix: Use actions:read permission instead of checks:read
dvasilas Mar 24, 2026
9559737
Revert "fix: Use actions:read permission instead of checks:read"
dvasilas Mar 24, 2026
2a79741
fix: Pass ACTIONS_APP_ID as workflow input instead of vars
dvasilas Mar 24, 2026
ede5eae
fix: Add Node.js setup step with configurable version
dvasilas Mar 24, 2026
6c138a0
fix: Add actions:read permission alongside checks:read
dvasilas Mar 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 24 additions & 2 deletions .github/workflows/claude-code-dependency-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@ on:
CLOUD_ML_REGION:
required: true
description: GCP region for Vertex AI
ACTIONS_APP_PRIVATE_KEY:
required: false
description: Private key for the GitHub App used to access private repositories
Copy link
Copy Markdown
Contributor

@tcarmet tcarmet Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In my example I setted up as a vars you said it worked so great, but double check if it's best to send it as a input

Suggested change
description: Private key for the GitHub App used to access private repositories
description: Private key for the GitHub App used to access private repositories
inputs:
ACTIONS_APP_ID:
required: false
description: <add description>

If thats the case then change the vars.ACTIONS_APP_ID to inputs.ACTIONS_APP_ID

Copy link
Copy Markdown
Contributor Author

@dvasilas dvasilas Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.


jobs:
dependency-review:
Expand All @@ -24,17 +27,35 @@ jobs:
contents: read
pull-requests: write
id-token: write
checks: read
Copy link
Copy Markdown
Contributor

@tcarmet tcarmet Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need this one?

Copy link
Copy Markdown
Contributor Author

@dvasilas dvasilas Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It gives the agent permission to read the CI status.
Without it the agent reported CI status: Could not be verified due to API permissions. Confirm CI is green before merging.
With it it is CI status: Several checks still in progress at time of review. No failures observed. because the workflow runs early 🤷

Copy link
Copy Markdown
Contributor

@tcarmet tcarmet Mar 23, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok now I'm even more confused, because it should be actions: read

But actually, knowing how github works checks is technically a lower level api of actions so it works.

I would recommend just changing to actions: read if that's ok, it should work the same and makes more sense for a human like me.

Copy link
Copy Markdown
Contributor Author

@dvasilas dvasilas Mar 24, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried it, but I got CI status: Unable to query (permissions); verify CI is green before merging
https://github.com/scality/scuba/pull/407#pullrequestreview-3997059964

So I will revert it for now.
(we could maybe instruct the agent which API to use? 🤔 )

Copy link
Copy Markdown
Contributor Author

@dvasilas dvasilas Mar 24, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well now it says CI status: Could not be verified due to API permissions. Recommend confirming CI is green before merging. even after I reverted. Not sure what happened.

It could be that the agent tries to check different things in different runs. I added both permissions.

Copy link
Copy Markdown

@claude claude bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The checks: read permission was added but none of the steps in this workflow appear to need it. If it's required by claude-code-action internally, consider adding a comment to document that. Otherwise, removing it would follow the least-privilege principle.

— Claude Code


steps:
- uses: actions/checkout@v6
with:
ref: ${{ github.event.pull_request.head.sha }}
Copy link
Copy Markdown

@claude claude bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security note: This workflow is called via workflow_call, so the trigger depends on the caller. If the caller uses pull_request_target, checking out github.event.pull_request.head.sha means untrusted PR code is checked out in a context with write permissions (pull-requests: write).

The risk is mitigated here because:
- yarn install uses --ignore-scripts
- No run: steps execute code from the checked-out repo
- claude-code-action reads but doesn't execute repo files

Consider adding a comment in the workflow noting this security trade-off, so future contributors don't add run: steps that source repo files after checkout.

— Claude Code

fetch-depth: 1

- name: Generate token for private repositories
if: vars.ACTIONS_APP_ID != ''
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ vars.ACTIONS_APP_ID }}
private-key: ${{ secrets.ACTIONS_APP_PRIVATE_KEY }}
owner: ${{ github.repository_owner }}

- name: Configure git for private repositories
if: steps.app-token.outputs.token != ''
run: |
git config --global url."https://x-access-token:${GIT_ACCESS_TOKEN}@github.com/".insteadOf "https://github.com/"
env:
GIT_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}

- name: Install dependencies
id: install-deps
if: hashFiles('yarn.lock') != ''
continue-on-error: true
run: yarn install --frozen-lockfile
run: yarn install --frozen-lockfile --ignore-scripts

- name: Warn on failed dependency install
if: steps.install-deps.outcome == 'failure'
Expand All @@ -53,7 +74,8 @@ jobs:
with:
github_token: ${{ github.token }}
use_vertex: "true"
plugin_marketplaces: https://github.com/scality/agent-hub
allowed_bots: "dependabot[bot]"
plugin_marketplaces: https://github.com/scality/agent-hub.git
plugins: scality-skills@scality-agent-hub
prompt: "/review-dependency-bump REPO: ${{ github.repository }} PR_NUMBER: ${{ github.event.pull_request.number }}"
claude_args: |
Expand Down
Loading