Draft
Conversation
pull_request_target checks out the base branch by default. Use ref in actions/checkout so that the dependency review can analyze the PR's changes and not the target branch.
claude-code-action rejects bot-initiated triggers by default. Add dependabot[bot] to allowed_bots since this workflow is specifically for reviewing Dependabot PRs.
claude-code-action validates that marketplace URLs end with .git.
Accept an optional GIT_ACCESS_TOKEN secret and configure git to use it for github.com URLs. This allows yarn install to fetch private Scality dependencies and the claude-code-action to clone the private agent-hub plugin marketplace.
Move the token from job-level env to step-level env on the git config step only, preventing unnecessary exposure to other steps. Use a shell conditional instead of a step-level if condition since secrets context is not available in step conditions.
Use --local instead of --global for git config to limit token exposure to the checkout directory. Add --ignore-scripts to yarn install to prevent lifecycle scripts from untrusted PR code from running in the pull_request_target context, which has write permissions and access to credentials.
The marketplace clone runs outside the checkout directory, so --local git config doesn't apply. Revert to --global.
Without this permission the reviewer cannot query check run results and reports "Unable to verify" CI status.
Use actions/create-github-app-token@v1 instead of the GIT_ACCESS_TOKEN secret.
tcarmet
force-pushed
the
feature/auth-as-claude-app
branch
from
9a44096 to
5f8e59b
Compare
dvasilas
force-pushed
the
fix/dependency-review-dependabot
branch
from
6c138a0 to
9561dbf
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.