wip: bolt 12 #117
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: security-review | |
| on: | |
| pull_request_target: | |
| workflow_dispatch: | |
| inputs: | |
| pr_number: | |
| description: 'PR number to review' | |
| required: true | |
| type: string | |
| permissions: | |
| contents: read | |
| # pull-requests: write # required for the script to post review comments via GITHUB_TOKEN | |
| concurrency: | |
| group: security-review-pr-${{ github.event.pull_request.number || inputs.pr_number }} | |
| cancel-in-progress: true | |
| jobs: | |
| security-review: | |
| name: "security review: Claude Code" | |
| runs-on: ubuntu-24.04 | |
| # Auto-run only for maintainers (and their forks). | |
| # External contributors trigger manually so we can first review if their PR modifies | |
| # the Python script this task calls (they could attempt to exfiltrate the api key through the script). | |
| if: | | |
| github.event_name == 'workflow_dispatch' || | |
| contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.pull_request.author_association) | |
| env: | |
| LD_LIBRARY_PATH: contrib/_saved_secp256k1_build/ | |
| ELECTRUM_ECC_DONT_COMPILE: "1" | |
| steps: | |
| - name: Checkout PR head | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| ref: refs/pull/${{ github.event.pull_request.number || inputs.pr_number }}/head | |
| fetch-depth: 0 | |
| - name: Setup Node | |
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: '20' | |
| - name: Install Claude Code CLI | |
| run: sudo npm install -g @anthropic-ai/claude-code | |
| # install Python and dependencies so the llm can quickly access the dependencies source and execute code/tests | |
| - name: Setup Python | |
| uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| with: | |
| python-version: '3.14' | |
| cache: 'pip' | |
| cache-dependency-path: | | |
| contrib/requirements/requirements-ci.txt | |
| contrib/requirements/requirements.txt | |
| - name: Cache libsecp256k1 | |
| id: cache-libsecp | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | |
| with: | |
| path: contrib/_saved_secp256k1_build | |
| key: libsecp-${{ runner.os }}-${{ hashFiles('contrib/make_libsecp256k1.sh') }} | |
| - name: Build libsecp256k1 | |
| if: steps.cache-libsecp.outputs.cache-hit != 'true' | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get -y install automake libtool | |
| ./contrib/make_libsecp256k1.sh | |
| mkdir -p contrib/_saved_secp256k1_build | |
| cp electrum/libsecp256k1.so.* contrib/_saved_secp256k1_build/ | |
| - name: Install Qt/QML runtime deps | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get -y install libgl1 libegl1 libxkbcommon0 libdbus-1-3 | |
| - name: Install Python dependencies | |
| run: | | |
| pip install -r contrib/requirements/requirements-ci.txt | |
| pip install ".[tests,qml_gui]" | |
| - name: Run Claude Code security review | |
| env: | |
| PR_NUMBER: ${{ github.event.pull_request.number || inputs.pr_number }} | |
| BASE_BRANCH: ${{ github.event.pull_request.base.ref || 'master' }} | |
| # needs to be set in the GitHub repository settings | |
| CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | |
| # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # can be enabled to make claude comment on PRs | |
| run: python3 contrib/ci/claude_security_review.py |