diff --git a/.github/workflows/fix-security-vulnerability.yml b/.github/workflows/fix-security-vulnerability.yml new file mode 100644 index 000000000000..8ddc8a9e8a16 --- /dev/null +++ b/.github/workflows/fix-security-vulnerability.yml @@ -0,0 +1,49 @@ +name: Fix Security Vulnerability + +on: + workflow_dispatch: + inputs: + alert: + description: + 'Dependabot alert number or URL (e.g. 1046 or + https://github.com/getsentry/sentry-javascript/security/dependabot/1046)' + required: true + +concurrency: + group: fix-security-vuln-${{ github.event.inputs.alert }} + cancel-in-progress: false + +jobs: + fix-vulnerability: + runs-on: ubuntu-latest + environment: ci-triage + permissions: + contents: write + pull-requests: write + security-events: read + issues: write + steps: + - uses: actions/checkout@v4 + with: + ref: develop + + - uses: anthropics/claude-code-action@v1 + with: + anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} + prompt: | + /fix-security-vulnerability ${{ github.event.inputs.alert }} + + IMPORTANT: Do NOT dismiss any alerts. Do NOT wait for approval. + + If you can fix the vulnerability: + Create a branch named fix/security-, apply the fix, and open a PR with your analysis + in the PR description. Target the develop branch. + + If you determine the alert should NOT be fixed: + Do NOT dismiss the alert. Instead, open a GitHub issue with: + - Title: "Security: Dismiss Dependabot alert # - " + - Label: "Security" + - Body: Include the full vulnerability details, your analysis, + the recommended dismissal reason, and why the alert cannot/should not be fixed. + claude_args: | + --max-turns 20 --allowedTools "Bash(gh api repos/getsentry/sentry-javascript/dependabot/alerts/*),Bash(gh pr create *),Bash(gh issue create *),Bash(yarn why *),Bash(yarn install*),Bash(yarn dedupe-deps:*),Bash(npm view *),Bash(git checkout *),Bash(git add *),Bash(git commit *),Edit,Write"