From 9c12c59404ff01a6f1cf68d643189cbe387bfdf5 Mon Sep 17 00:00:00 2001 From: Nicolas Hrubec Date: Tue, 3 Mar 2026 13:33:49 +0100 Subject: [PATCH] chore(fix-security-vulnerability): Remove security vulnerability action --- .../workflows/fix-security-vulnerability.yml | 69 ------------------- 1 file changed, 69 deletions(-) delete mode 100644 .github/workflows/fix-security-vulnerability.yml diff --git a/.github/workflows/fix-security-vulnerability.yml b/.github/workflows/fix-security-vulnerability.yml deleted file mode 100644 index bfaecfb175eb..000000000000 --- a/.github/workflows/fix-security-vulnerability.yml +++ /dev/null @@ -1,69 +0,0 @@ -name: Fix Security Vulnerability - -on: - workflow_dispatch: - inputs: - alert: - description: - 'Dependabot alert number or URL (e.g. 1046 or - https://github.com/getsentry/sentry-javascript/security/dependabot/1046)' - required: true - -concurrency: - group: fix-security-vuln-${{ github.event.inputs.alert }} - cancel-in-progress: false - -jobs: - fix-vulnerability: - runs-on: ubuntu-latest - environment: ci-triage - permissions: - contents: write - pull-requests: write - security-events: read - issues: write - id-token: write - steps: - - uses: actions/checkout@v6 - with: - ref: develop - - - name: Extract alert number - id: alert - run: | - INPUT="${{ github.event.inputs.alert }}" - RAW="${INPUT##*/}" - NUMBER="${RAW%%\?*}" - if ! [[ "$NUMBER" =~ ^[0-9]+$ ]]; then - echo "Error: Could not extract a valid numeric alert ID from input: $INPUT" - exit 1 - fi - echo "number=$NUMBER" >> "$GITHUB_OUTPUT" - - - uses: anthropics/claude-code-action@v1 - with: - anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} - prompt: | - YOUR FIRST ACTION - run this exact command before anything else: - gh api repos/getsentry/sentry-javascript/dependabot/alerts/${{ steps.alert.outputs.number }} - - Then use the output to follow the skill instructions below. - - /fix-security-vulnerability ${{ github.event.inputs.alert }} - - IMPORTANT: Do NOT dismiss any alerts. Do NOT wait for approval. - Your allowed tools are narrowly scoped - only the exact command patterns listed will be permitted. - - If you can fix the vulnerability: - Create a branch named fix/security-, apply the fix, and open a PR with your analysis - in the PR description. Target the develop branch. - - If you determine the alert should NOT be fixed: - Do NOT dismiss the alert. Instead, open a GitHub issue with: - - Title: "Security: Dismiss Dependabot alert # - " - - Label: "Security" - - Body: Include the full vulnerability details, your analysis, - the recommended dismissal reason, and why the alert cannot/should not be fixed. - model: claude-opus-4-6 - claude_args: | - --max-turns 20 --allowedTools "Bash(gh api *repos/getsentry/sentry-javascript/dependabot/alerts/*),Bash(gh pr create *),Bash(gh issue create *),Bash(yarn why *),Bash(yarn install*),Bash(yarn dedupe-deps:*),Bash(npm view *),Bash(git checkout *),Bash(git add *),Bash(git commit *),Edit,Write"