electrum/.github/workflows/security-review.yml at 79fd500cfa77c6363c64498fc32aaba5e8f60b8c · spesmilo/electrum · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
name: security-review

on:
  pull_request_target:
  workflow_dispatch:
    inputs:
      pr_number:
        description: 'PR number to review'
        required: true
        type: string

permissions:
  contents: read
#  pull-requests: write   # required for the script to post review comments via GITHUB_TOKEN

concurrency:
  group: security-review-pr-${{ github.event.pull_request.number || inputs.pr_number }}
  cancel-in-progress: true

jobs:
  security-review:
    name: "security review: Claude Code"
    runs-on: ubuntu-24.04

    # Auto-run only for maintainers (and their forks).
    # External contributors trigger manually so we can first review if their PR modifies
    # the Python script this task calls (they could attempt to exfiltrate the api key through the script).
    if: |
      github.event_name == 'workflow_dispatch' ||
      contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.pull_request.author_association)

    env:
      LD_LIBRARY_PATH: contrib/_saved_secp256k1_build/
      ELECTRUM_ECC_DONT_COMPILE: "1"
    steps:
      - name: Checkout PR head
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          ref: refs/pull/${{ github.event.pull_request.number || inputs.pr_number }}/head
          fetch-depth: 0

      - name: Setup Node
        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
        with:
          node-version: '20'

      - name: Install Claude Code CLI
        run: sudo npm install -g @anthropic-ai/claude-code

      # install Python and dependencies so the llm can quickly access the dependencies source and execute code/tests
      - name: Setup Python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
        with:
          python-version: '3.14'
          cache: 'pip'
          cache-dependency-path: |
            contrib/requirements/requirements-ci.txt
            contrib/requirements/requirements.txt

      - name: Cache libsecp256k1
        id: cache-libsecp
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae  # v5.0.5
        with:
          path: contrib/_saved_secp256k1_build
          key: libsecp-${{ runner.os }}-${{ hashFiles('contrib/make_libsecp256k1.sh') }}

      - name: Build libsecp256k1
        if: steps.cache-libsecp.outputs.cache-hit != 'true'
        run: |
          sudo apt-get update
          sudo apt-get -y install automake libtool
          ./contrib/make_libsecp256k1.sh
          mkdir -p contrib/_saved_secp256k1_build
          cp electrum/libsecp256k1.so.* contrib/_saved_secp256k1_build/

      - name: Install Qt/QML runtime deps
        run: |
          sudo apt-get update
          sudo apt-get -y install libgl1 libegl1 libxkbcommon0 libdbus-1-3

      - name: Install Python dependencies
        run: |
          pip install -r contrib/requirements/requirements-ci.txt
          pip install ".[tests,qml_gui]"

      - name: Run Claude Code security review
        env:
          PR_NUMBER: ${{ github.event.pull_request.number || inputs.pr_number }}
          BASE_BRANCH: ${{ github.event.pull_request.base.ref || 'master' }}
          # needs to be set in the GitHub repository settings
          CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
          # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # can be enabled to make claude comment on PRs
        run: python3 contrib/ci/claude_security_review.py