feat(ci): review Dependabot PRs with Claude#17
Conversation
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
| continue-on-error: true | ||
| with: | ||
| anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} | ||
| github_token: ${{ steps.app-token.outputs.token }} |
There was a problem hiding this comment.
super nit (not blocking): This now hands the org-scoped App token (owner: hotdata-dev, no repositories: restriction) to the Claude action, where it processes untrusted content — the PR diff and prior comment threads. Previously the action ran with the repo-scoped default GITHUB_TOKEN, so this widens the blast radius of any prompt injection: combined with Bash(gh pr comment:*) / Bash(gh pr review:*) in allowedTools (which permit --repo), a successful injection could act on other repos in the org or auto---approve.
The content is already marked untrusted in the prompt and the tool set is constrained, so this is inherent-design risk rather than a new bug. If you want to tighten it, consider scoping the App token with repositories: ${{ github.event.repository.name }} on the create-github-app-token step so the review token can only touch this repo.
There was a problem hiding this comment.
Approving. The Dependabot enablement is coherent: no PR code is executed in this workflow (only gh api reads and the prompt is loaded from a separate main checkout), write paths consistently use the App token where the read-only GITHUB_TOKEN would fail, and the read-context step correctly keeps the default token. One non-blocking security note left inline re: scoping the App token to this repo.
|
Closing — reviewing Dependabot version-bump PRs with Claude adds little signal and would require mirroring secrets into the Dependabot secret store (widening the secret/security surface). Keeping the existing skip; handling Dependabot toil via CI-gated auto-merge in hotdata-cli instead. |
1 participant
Stop skipping Dependabot PRs in the Claude review workflow: removes the
dependabot[bot]skip gates, addsdependabot[bot]toallowed_bots, and routes write operations through the App token (Dependabot runs get a read-onlyGITHUB_TOKEN).Requires
HOTDATA_AUTOMATION_PRIVATE_KEYandANTHROPIC_API_KEYto be set as Dependabot secrets (org-level) — Dependabot runs can't see Actions secrets, so without this the review step fails.