From ab4b22e3477180227c2a3a3816493fce2ae72779 Mon Sep 17 00:00:00 2001 From: Dimitrios Vasilas Date: Fri, 20 Mar 2026 16:41:07 +0200 Subject: [PATCH 01/14] fix: Checkout PR head commit in dependency review pull_request_target checks out the base branch by default. Use ref in actions/checkout so that the dependency review can analyze the PR's changes and not the target branch. --- .github/workflows/claude-code-dependency-review.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/claude-code-dependency-review.yml b/.github/workflows/claude-code-dependency-review.yml index 45ed9ed..d96221b 100644 --- a/.github/workflows/claude-code-dependency-review.yml +++ b/.github/workflows/claude-code-dependency-review.yml @@ -28,6 +28,7 @@ jobs: steps: - uses: actions/checkout@v6 with: + ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 1 - name: Install dependencies From defab3fc1dba1539684103b48447262ce548ea85 Mon Sep 17 00:00:00 2001 From: Dimitrios Vasilas Date: Fri, 20 Mar 2026 16:44:05 +0200 Subject: [PATCH 02/14] fix: Allow Dependabot as bot actor in dependency review claude-code-action rejects bot-initiated triggers by default. Add dependabot[bot] to allowed_bots since this workflow is specifically for reviewing Dependabot PRs. --- .github/workflows/claude-code-dependency-review.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/claude-code-dependency-review.yml b/.github/workflows/claude-code-dependency-review.yml index d96221b..e7d368f 100644 --- a/.github/workflows/claude-code-dependency-review.yml +++ b/.github/workflows/claude-code-dependency-review.yml @@ -54,6 +54,7 @@ jobs: with: github_token: ${{ github.token }} use_vertex: "true" + allowed_bots: "dependabot[bot]" plugin_marketplaces: https://github.com/scality/agent-hub plugins: scality-skills@scality-agent-hub prompt: "/review-dependency-bump REPO: ${{ github.repository }} PR_NUMBER: ${{ github.event.pull_request.number }}" From 2838ffb41082f93c5bab5df128ba6e9aa4725648 Mon Sep 17 00:00:00 2001 From: Dimitrios Vasilas Date: Fri, 20 Mar 2026 16:45:51 +0200 Subject: [PATCH 03/14] fix: Add .git suffix to plugin marketplace URL claude-code-action validates that marketplace URLs end with .git. --- .github/workflows/claude-code-dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/claude-code-dependency-review.yml b/.github/workflows/claude-code-dependency-review.yml index e7d368f..4ccc874 100644 --- a/.github/workflows/claude-code-dependency-review.yml +++ b/.github/workflows/claude-code-dependency-review.yml @@ -55,7 +55,7 @@ jobs: github_token: ${{ github.token }} use_vertex: "true" allowed_bots: "dependabot[bot]" - plugin_marketplaces: https://github.com/scality/agent-hub + plugin_marketplaces: https://github.com/scality/agent-hub.git plugins: scality-skills@scality-agent-hub prompt: "/review-dependency-bump REPO: ${{ github.repository }} PR_NUMBER: ${{ github.event.pull_request.number }}" claude_args: | From 7e4a433684d8bebdc769f0d7f2e255cac3d3aa70 Mon Sep 17 00:00:00 2001 From: Dimitrios Vasilas Date: Fri, 20 Mar 2026 16:46:41 +0200 Subject: [PATCH 04/14] fix: Configure git credentials for private org repositories Accept an optional GIT_ACCESS_TOKEN secret and configure git to use it for github.com URLs. This allows yarn install to fetch private Scality dependencies and the claude-code-action to clone the private agent-hub plugin marketplace. --- .github/workflows/claude-code-dependency-review.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/claude-code-dependency-review.yml b/.github/workflows/claude-code-dependency-review.yml index 4ccc874..58a4d6a 100644 --- a/.github/workflows/claude-code-dependency-review.yml +++ b/.github/workflows/claude-code-dependency-review.yml @@ -15,6 +15,9 @@ on: CLOUD_ML_REGION: required: true description: GCP region for Vertex AI + GIT_ACCESS_TOKEN: + required: false + description: Token for accessing private Git repositories in the same org jobs: dependency-review: @@ -24,6 +27,8 @@ jobs: contents: read pull-requests: write id-token: write + env: + GIT_ACCESS_TOKEN: ${{ secrets.GIT_ACCESS_TOKEN }} steps: - uses: actions/checkout@v6 @@ -31,6 +36,10 @@ jobs: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 1 + - name: Configure git for private repositories + if: env.GIT_ACCESS_TOKEN != '' + run: git config --global url."https://x-access-token:${GIT_ACCESS_TOKEN}@github.com/".insteadOf "https://github.com/" + - name: Install dependencies id: install-deps if: hashFiles('yarn.lock') != '' From 5a57ee09256434fc8faf24cee5d554147a443353 Mon Sep 17 00:00:00 2001 From: Dimitrios Vasilas Date: Fri, 20 Mar 2026 17:11:25 +0200 Subject: [PATCH 05/14] fix: Scope GIT_ACCESS_TOKEN to only the steps that need it Move the token from job-level env to step-level env on the git config step only, preventing unnecessary exposure to other steps. Use a shell conditional instead of a step-level if condition since secrets context is not available in step conditions. --- .github/workflows/claude-code-dependency-review.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/claude-code-dependency-review.yml b/.github/workflows/claude-code-dependency-review.yml index 58a4d6a..1f44f91 100644 --- a/.github/workflows/claude-code-dependency-review.yml +++ b/.github/workflows/claude-code-dependency-review.yml @@ -27,8 +27,6 @@ jobs: contents: read pull-requests: write id-token: write - env: - GIT_ACCESS_TOKEN: ${{ secrets.GIT_ACCESS_TOKEN }} steps: - uses: actions/checkout@v6 @@ -37,8 +35,12 @@ jobs: fetch-depth: 1 - name: Configure git for private repositories - if: env.GIT_ACCESS_TOKEN != '' - run: git config --global url."https://x-access-token:${GIT_ACCESS_TOKEN}@github.com/".insteadOf "https://github.com/" + run: | + if [ -n "$GIT_ACCESS_TOKEN" ]; then + git config --global url."https://x-access-token:${GIT_ACCESS_TOKEN}@github.com/".insteadOf "https://github.com/" + fi + env: + GIT_ACCESS_TOKEN: ${{ secrets.GIT_ACCESS_TOKEN }} - name: Install dependencies id: install-deps From 39f501f4f69bd4e241780d4198b9f39600a51a5a Mon Sep 17 00:00:00 2001 From: Dimitrios Vasilas Date: Fri, 20 Mar 2026 17:30:15 +0200 Subject: [PATCH 06/14] fix: Harden dependency review against untrusted PR code Use --local instead of --global for git config to limit token exposure to the checkout directory. Add --ignore-scripts to yarn install to prevent lifecycle scripts from untrusted PR code from running in the pull_request_target context, which has write permissions and access to credentials. --- .github/workflows/claude-code-dependency-review.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/claude-code-dependency-review.yml b/.github/workflows/claude-code-dependency-review.yml index 1f44f91..ae0c92a 100644 --- a/.github/workflows/claude-code-dependency-review.yml +++ b/.github/workflows/claude-code-dependency-review.yml @@ -37,7 +37,7 @@ jobs: - name: Configure git for private repositories run: | if [ -n "$GIT_ACCESS_TOKEN" ]; then - git config --global url."https://x-access-token:${GIT_ACCESS_TOKEN}@github.com/".insteadOf "https://github.com/" + git config --local url."https://x-access-token:${GIT_ACCESS_TOKEN}@github.com/".insteadOf "https://github.com/" fi env: GIT_ACCESS_TOKEN: ${{ secrets.GIT_ACCESS_TOKEN }} @@ -46,7 +46,7 @@ jobs: id: install-deps if: hashFiles('yarn.lock') != '' continue-on-error: true - run: yarn install --frozen-lockfile + run: yarn install --frozen-lockfile --ignore-scripts - name: Warn on failed dependency install if: steps.install-deps.outcome == 'failure' From f962f44083bda0cfee9d802b6427658bdafd12fe Mon Sep 17 00:00:00 2001 From: Dimitrios Vasilas Date: Fri, 20 Mar 2026 17:56:50 +0200 Subject: [PATCH 07/14] Revert "fix: use --local git config" The marketplace clone runs outside the checkout directory, so --local git config doesn't apply. Revert to --global. --- .github/workflows/claude-code-dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/claude-code-dependency-review.yml b/.github/workflows/claude-code-dependency-review.yml index ae0c92a..7483261 100644 --- a/.github/workflows/claude-code-dependency-review.yml +++ b/.github/workflows/claude-code-dependency-review.yml @@ -37,7 +37,7 @@ jobs: - name: Configure git for private repositories run: | if [ -n "$GIT_ACCESS_TOKEN" ]; then - git config --local url."https://x-access-token:${GIT_ACCESS_TOKEN}@github.com/".insteadOf "https://github.com/" + git config --global url."https://x-access-token:${GIT_ACCESS_TOKEN}@github.com/".insteadOf "https://github.com/" fi env: GIT_ACCESS_TOKEN: ${{ secrets.GIT_ACCESS_TOKEN }} From e61c4f4e4d0efb8694ea8e8abd52e2764e970d4b Mon Sep 17 00:00:00 2001 From: Dimitrios Vasilas Date: Fri, 20 Mar 2026 18:27:07 +0200 Subject: [PATCH 08/14] fix: Add checks:read permission for CI status verification Without this permission the reviewer cannot query check run results and reports "Unable to verify" CI status. --- .github/workflows/claude-code-dependency-review.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/claude-code-dependency-review.yml b/.github/workflows/claude-code-dependency-review.yml index 7483261..1a74dc1 100644 --- a/.github/workflows/claude-code-dependency-review.yml +++ b/.github/workflows/claude-code-dependency-review.yml @@ -27,6 +27,7 @@ jobs: contents: read pull-requests: write id-token: write + checks: read steps: - uses: actions/checkout@v6 From c76c3851375fea516ea5f80fd136f6672d6d0b1a Mon Sep 17 00:00:00 2001 From: Dimitrios Vasilas Date: Mon, 23 Mar 2026 10:04:32 +0200 Subject: [PATCH 09/14] fix: Replace GIT_ACCESS_TOKEN with GitHub App token Use actions/create-github-app-token@v1 instead of the GIT_ACCESS_TOKEN secret. --- .../claude-code-dependency-review.yml | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/.github/workflows/claude-code-dependency-review.yml b/.github/workflows/claude-code-dependency-review.yml index 1a74dc1..9bed797 100644 --- a/.github/workflows/claude-code-dependency-review.yml +++ b/.github/workflows/claude-code-dependency-review.yml @@ -15,9 +15,9 @@ on: CLOUD_ML_REGION: required: true description: GCP region for Vertex AI - GIT_ACCESS_TOKEN: + ACTIONS_APP_PRIVATE_KEY: required: false - description: Token for accessing private Git repositories in the same org + description: Private key for the GitHub App used to access private repositories jobs: dependency-review: @@ -35,13 +35,21 @@ jobs: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 1 + - name: Generate token for private repositories + if: vars.ACTIONS_APP_ID != '' + uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ vars.ACTIONS_APP_ID }} + private-key: ${{ secrets.ACTIONS_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + - name: Configure git for private repositories + if: steps.app-token.outputs.token != '' run: | - if [ -n "$GIT_ACCESS_TOKEN" ]; then - git config --global url."https://x-access-token:${GIT_ACCESS_TOKEN}@github.com/".insteadOf "https://github.com/" - fi + git config --global url."https://x-access-token:${GIT_ACCESS_TOKEN}@github.com/".insteadOf "https://github.com/" env: - GIT_ACCESS_TOKEN: ${{ secrets.GIT_ACCESS_TOKEN }} + GIT_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }} - name: Install dependencies id: install-deps From d0370379981599d79e0949cfe5182630bc48a9d4 Mon Sep 17 00:00:00 2001 From: Dimitrios Vasilas Date: Tue, 24 Mar 2026 09:54:47 +0200 Subject: [PATCH 10/14] fix: Use actions:read permission instead of checks:read --- .github/workflows/claude-code-dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/claude-code-dependency-review.yml b/.github/workflows/claude-code-dependency-review.yml index 9bed797..61dd2d4 100644 --- a/.github/workflows/claude-code-dependency-review.yml +++ b/.github/workflows/claude-code-dependency-review.yml @@ -27,7 +27,7 @@ jobs: contents: read pull-requests: write id-token: write - checks: read + actions: read steps: - uses: actions/checkout@v6 From 9559737888a4a0f93f54f58205313cd75eed5af1 Mon Sep 17 00:00:00 2001 From: Dimitrios Vasilas Date: Tue, 24 Mar 2026 10:07:32 +0200 Subject: [PATCH 11/14] Revert "fix: Use actions:read permission instead of checks:read" This reverts commit d0370379981599d79e0949cfe5182630bc48a9d4. --- .github/workflows/claude-code-dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/claude-code-dependency-review.yml b/.github/workflows/claude-code-dependency-review.yml index 61dd2d4..9bed797 100644 --- a/.github/workflows/claude-code-dependency-review.yml +++ b/.github/workflows/claude-code-dependency-review.yml @@ -27,7 +27,7 @@ jobs: contents: read pull-requests: write id-token: write - actions: read + checks: read steps: - uses: actions/checkout@v6 From 2a79741efc70a6a29cb6260f1ff1b5ed85bb7dc3 Mon Sep 17 00:00:00 2001 From: Dimitrios Vasilas Date: Tue, 24 Mar 2026 10:09:47 +0200 Subject: [PATCH 12/14] fix: Pass ACTIONS_APP_ID as workflow input instead of vars --- .github/workflows/claude-code-dependency-review.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/claude-code-dependency-review.yml b/.github/workflows/claude-code-dependency-review.yml index 9bed797..4fdba60 100644 --- a/.github/workflows/claude-code-dependency-review.yml +++ b/.github/workflows/claude-code-dependency-review.yml @@ -18,6 +18,11 @@ on: ACTIONS_APP_PRIVATE_KEY: required: false description: Private key for the GitHub App used to access private repositories + inputs: + ACTIONS_APP_ID: + required: false + type: string + description: App ID for the GitHub App used to access private repositories jobs: dependency-review: @@ -36,11 +41,11 @@ jobs: fetch-depth: 1 - name: Generate token for private repositories - if: vars.ACTIONS_APP_ID != '' + if: inputs.ACTIONS_APP_ID != '' uses: actions/create-github-app-token@v1 id: app-token with: - app-id: ${{ vars.ACTIONS_APP_ID }} + app-id: ${{ inputs.ACTIONS_APP_ID }} private-key: ${{ secrets.ACTIONS_APP_PRIVATE_KEY }} owner: ${{ github.repository_owner }} From ede5eaeaf14e67f0b34607ef9ae8851124077677 Mon Sep 17 00:00:00 2001 From: Dimitrios Vasilas Date: Tue, 24 Mar 2026 10:27:20 +0200 Subject: [PATCH 13/14] fix: Add Node.js setup step with configurable version --- .github/workflows/claude-code-dependency-review.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/claude-code-dependency-review.yml b/.github/workflows/claude-code-dependency-review.yml index 4fdba60..af0dd84 100644 --- a/.github/workflows/claude-code-dependency-review.yml +++ b/.github/workflows/claude-code-dependency-review.yml @@ -23,6 +23,11 @@ on: required: false type: string description: App ID for the GitHub App used to access private repositories + node-version: + required: false + type: string + default: '22' + description: Node.js version to use for dependency installation jobs: dependency-review: @@ -56,6 +61,12 @@ jobs: env: GIT_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }} + - name: Set up Node.js + if: hashFiles('yarn.lock') != '' + uses: actions/setup-node@v4 + with: + node-version: ${{ inputs.node-version }} + - name: Install dependencies id: install-deps if: hashFiles('yarn.lock') != '' From 6c138a0975286e2888b202d833d3dd04f490e5f0 Mon Sep 17 00:00:00 2001 From: Dimitrios Vasilas Date: Tue, 24 Mar 2026 10:35:08 +0200 Subject: [PATCH 14/14] fix: Add actions:read permission alongside checks:read --- .github/workflows/claude-code-dependency-review.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/claude-code-dependency-review.yml b/.github/workflows/claude-code-dependency-review.yml index af0dd84..d43480a 100644 --- a/.github/workflows/claude-code-dependency-review.yml +++ b/.github/workflows/claude-code-dependency-review.yml @@ -38,6 +38,7 @@ jobs: pull-requests: write id-token: write checks: read + actions: read steps: - uses: actions/checkout@v6