fix(security): bump dependencies to clear OSV-Scanner advisories #1034
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Claude Code | |
| on: | |
| issue_comment: | |
| types: [created] | |
| pull_request_review_comment: | |
| types: [created] | |
| issues: | |
| types: [opened, assigned] | |
| pull_request_review: | |
| types: [submitted] | |
| jobs: | |
| claude: | |
| if: | | |
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | |
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| issues: read | |
| id-token: write | |
| actions: read # Required for Claude to read CI results on PRs | |
| steps: | |
| - name: Check user permissions | |
| id: check_permissions | |
| uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 | |
| with: | |
| script: | | |
| let actor; | |
| if (context.eventName === 'issue_comment') { | |
| actor = context.payload.comment.user.login; | |
| } else if (context.eventName === 'pull_request_review_comment') { | |
| actor = context.payload.comment.user.login; | |
| } else if (context.eventName === 'pull_request_review') { | |
| actor = context.payload.review.user.login; | |
| } else if (context.eventName === 'issues') { | |
| actor = context.payload.issue.user.login; | |
| } | |
| try { | |
| const { data: permission } = await github.rest.repos.getCollaboratorPermissionLevel({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| username: actor | |
| }); | |
| const hasPermission = ['admin', 'maintain'].includes(permission.permission); | |
| core.setOutput('has_permission', hasPermission); | |
| if (!hasPermission) { | |
| core.info(`User ${actor} has ${permission.permission} permission, but needs admin or maintain permission to use Claude Code`); | |
| } | |
| } catch (error) { | |
| core.setFailed(`Failed to check permissions: ${error.message}`); | |
| } | |
| - name: Comment on permission denied | |
| if: steps.check_permissions.outputs.has_permission == 'false' | |
| uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 | |
| with: | |
| script: | | |
| let issueNumber; | |
| if (context.eventName === 'issue_comment') { | |
| issueNumber = context.payload.issue.number; | |
| } else if (context.eventName === 'pull_request_review_comment') { | |
| issueNumber = context.payload.pull_request.number; | |
| } else if (context.eventName === 'pull_request_review') { | |
| issueNumber = context.payload.pull_request.number; | |
| } else if (context.eventName === 'issues') { | |
| issueNumber = context.payload.issue.number; | |
| } | |
| if (issueNumber) { | |
| await github.rest.issues.createComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: issueNumber, | |
| body: '⚠️ Only users with admin or maintainer permissions can use Claude Code. Please contact a repository administrator if you need access.' | |
| }); | |
| } | |
| - name: Checkout repository | |
| if: steps.check_permissions.outputs.has_permission == 'true' | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| fetch-depth: 1 | |
| persist-credentials: false | |
| - name: Run Claude Code | |
| if: steps.check_permissions.outputs.has_permission == 'true' | |
| id: claude | |
| uses: anthropics/claude-code-action@593d7a5c4e0073569f74772c2b7b64c30ec14707 # v1.0.141 | |
| with: | |
| claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | |
| # Enable progress tracking for PR context | |
| track_progress: true | |
| # This is an optional setting that allows Claude to read CI results on PRs | |
| additional_permissions: | | |
| actions: read | |
| # Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it. | |
| # prompt: 'Update the pull request description to include a summary of changes.' | |
| # Optional: Add claude_args to customize behavior and configuration | |
| # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md | |
| # or https://docs.anthropic.com/en/docs/claude-code/sdk#command-line for available options | |
| # claude_args: '--model claude-opus-4-1-20250805 --allowed-tools Bash(gh pr:*)' |