Skip to content

fix(security): bump dependencies to clear OSV-Scanner advisories #1033

fix(security): bump dependencies to clear OSV-Scanner advisories

fix(security): bump dependencies to clear OSV-Scanner advisories #1033

Workflow file for this run

name: Claude Code
on:
issue_comment:
types: [created]
pull_request_review_comment:
types: [created]
issues:
types: [opened, assigned]
pull_request_review:
types: [submitted]
jobs:
claude:
if: |
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
issues: read
id-token: write
actions: read # Required for Claude to read CI results on PRs
steps:
- name: Check user permissions
id: check_permissions
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
with:
script: |
let actor;
if (context.eventName === 'issue_comment') {
actor = context.payload.comment.user.login;
} else if (context.eventName === 'pull_request_review_comment') {
actor = context.payload.comment.user.login;
} else if (context.eventName === 'pull_request_review') {
actor = context.payload.review.user.login;
} else if (context.eventName === 'issues') {
actor = context.payload.issue.user.login;
}
try {
const { data: permission } = await github.rest.repos.getCollaboratorPermissionLevel({
owner: context.repo.owner,
repo: context.repo.repo,
username: actor
});
const hasPermission = ['admin', 'maintain'].includes(permission.permission);
core.setOutput('has_permission', hasPermission);
if (!hasPermission) {
core.info(`User ${actor} has ${permission.permission} permission, but needs admin or maintain permission to use Claude Code`);
}
} catch (error) {
core.setFailed(`Failed to check permissions: ${error.message}`);
}
- name: Comment on permission denied
if: steps.check_permissions.outputs.has_permission == 'false'
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
with:
script: |
let issueNumber;
if (context.eventName === 'issue_comment') {
issueNumber = context.payload.issue.number;
} else if (context.eventName === 'pull_request_review_comment') {
issueNumber = context.payload.pull_request.number;
} else if (context.eventName === 'pull_request_review') {
issueNumber = context.payload.pull_request.number;
} else if (context.eventName === 'issues') {
issueNumber = context.payload.issue.number;
}
if (issueNumber) {
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: issueNumber,
body: '⚠️ Only users with admin or maintainer permissions can use Claude Code. Please contact a repository administrator if you need access.'
});
}
- name: Checkout repository
if: steps.check_permissions.outputs.has_permission == 'true'
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
fetch-depth: 1
persist-credentials: false
- name: Run Claude Code
if: steps.check_permissions.outputs.has_permission == 'true'
id: claude
uses: anthropics/claude-code-action@593d7a5c4e0073569f74772c2b7b64c30ec14707 # v1.0.141
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
# Enable progress tracking for PR context
track_progress: true
# This is an optional setting that allows Claude to read CI results on PRs
additional_permissions: |
actions: read
# Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.
# prompt: 'Update the pull request description to include a summary of changes.'
# Optional: Add claude_args to customize behavior and configuration
# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
# or https://docs.anthropic.com/en/docs/claude-code/sdk#command-line for available options
# claude_args: '--model claude-opus-4-1-20250805 --allowed-tools Bash(gh pr:*)'