From ccd35f92ca4c428805ffb8e7efdb6d3e31a4077f Mon Sep 17 00:00:00 2001 From: Nicolas Hrubec Date: Tue, 17 Feb 2026 13:15:50 +0100 Subject: [PATCH 01/11] add security vulnerability action --- .../workflows/fix-security-vulnerability.yml | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/workflows/fix-security-vulnerability.yml diff --git a/.github/workflows/fix-security-vulnerability.yml b/.github/workflows/fix-security-vulnerability.yml new file mode 100644 index 000000000000..38ed19e4ec45 --- /dev/null +++ b/.github/workflows/fix-security-vulnerability.yml @@ -0,0 +1,38 @@ +name: Fix Security Vulnerability + +on: + dependabot_alert: + types: [created] + workflow_dispatch: + inputs: + alert: + description: 'Dependabot alert number or URL (e.g. 1046 or https://github.com/getsentry/sentry-javascript/security/dependabot/1046)' + required: true + +concurrency: + group: fix-security-vuln-${{ github.event.alert.number || github.event.inputs.alert }} + cancel-in-progress: false + +jobs: + fix-vulnerability: + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + issues: write + security-events: read + steps: + - uses: actions/checkout@v4 + with: + ref: develop + + - uses: anthropics/claude-code-action@v1 + with: + anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} + prompt: | + /fix-security-vulnerability ${{ github.event.alert.number || github.event.inputs.alert }} + + IMPORTANT: Do NOT dismiss any alerts. Do NOT wait for approval. + Create a branch, apply the fix, and open a PR with your analysis + in the PR description. Target the develop branch. + claude_args: "--max-turns 20" From 4b02e8d18205c6619a700b04140408d7e273fca1 Mon Sep 17 00:00:00 2001 From: Nicolas Hrubec Date: Tue, 17 Feb 2026 13:23:31 +0100 Subject: [PATCH 02/11] yarn fix --- .github/workflows/fix-security-vulnerability.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/fix-security-vulnerability.yml b/.github/workflows/fix-security-vulnerability.yml index 38ed19e4ec45..dc2973b109d8 100644 --- a/.github/workflows/fix-security-vulnerability.yml +++ b/.github/workflows/fix-security-vulnerability.yml @@ -6,7 +6,9 @@ on: workflow_dispatch: inputs: alert: - description: 'Dependabot alert number or URL (e.g. 1046 or https://github.com/getsentry/sentry-javascript/security/dependabot/1046)' + description: + 'Dependabot alert number or URL (e.g. 1046 or + https://github.com/getsentry/sentry-javascript/security/dependabot/1046)' required: true concurrency: @@ -35,4 +37,4 @@ jobs: IMPORTANT: Do NOT dismiss any alerts. Do NOT wait for approval. Create a branch, apply the fix, and open a PR with your analysis in the PR description. Target the develop branch. - claude_args: "--max-turns 20" + claude_args: '--max-turns 20' From 4d086916eac4393319d236185e8eaf37add89a16 Mon Sep 17 00:00:00 2001 From: Nicolas Hrubec Date: Tue, 17 Feb 2026 13:30:09 +0100 Subject: [PATCH 03/11] remove issues write permission --- .github/workflows/fix-security-vulnerability.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/fix-security-vulnerability.yml b/.github/workflows/fix-security-vulnerability.yml index dc2973b109d8..bd91328ad7db 100644 --- a/.github/workflows/fix-security-vulnerability.yml +++ b/.github/workflows/fix-security-vulnerability.yml @@ -21,7 +21,6 @@ jobs: permissions: contents: write pull-requests: write - issues: write security-events: read steps: - uses: actions/checkout@v4 From 403503093706ea8760308216fc4af5fcad504937 Mon Sep 17 00:00:00 2001 From: Nicolas Hrubec Date: Wed, 18 Feb 2026 09:10:00 +0100 Subject: [PATCH 04/11] update workflow --- .github/workflows/fix-security-vulnerability.yml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/.github/workflows/fix-security-vulnerability.yml b/.github/workflows/fix-security-vulnerability.yml index bd91328ad7db..93ba6420a8c5 100644 --- a/.github/workflows/fix-security-vulnerability.yml +++ b/.github/workflows/fix-security-vulnerability.yml @@ -22,6 +22,7 @@ jobs: contents: write pull-requests: write security-events: read + issues: write steps: - uses: actions/checkout@v4 with: @@ -34,6 +35,16 @@ jobs: /fix-security-vulnerability ${{ github.event.alert.number || github.event.inputs.alert }} IMPORTANT: Do NOT dismiss any alerts. Do NOT wait for approval. - Create a branch, apply the fix, and open a PR with your analysis - in the PR description. Target the develop branch. + + If you can fix the vulnerability: + Create a branch, apply the fix, and open a PR with your analysis + in the PR description. Target the develop branch. + + If you determine the alert should NOT be fixed (version-specific test package, + false positive, no upstream fix available, dev-only acceptable risk, etc.): + Do NOT dismiss the alert. Instead, open a GitHub issue with: + - Title: "Security: Dismiss Dependabot alert # - " + - Label: "Security" + - Body: Include the full vulnerability details, your analysis, + the recommended dismissal reason, and why the alert cannot/should not be fixed. claude_args: '--max-turns 20' From f99bf8e082fce107dd4d589797d4aa984905dd57 Mon Sep 17 00:00:00 2001 From: Nicolas Hrubec Date: Wed, 18 Feb 2026 09:47:09 +0100 Subject: [PATCH 05/11] simplify --- .github/workflows/fix-security-vulnerability.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/fix-security-vulnerability.yml b/.github/workflows/fix-security-vulnerability.yml index 93ba6420a8c5..9594d86ffa67 100644 --- a/.github/workflows/fix-security-vulnerability.yml +++ b/.github/workflows/fix-security-vulnerability.yml @@ -40,8 +40,7 @@ jobs: Create a branch, apply the fix, and open a PR with your analysis in the PR description. Target the develop branch. - If you determine the alert should NOT be fixed (version-specific test package, - false positive, no upstream fix available, dev-only acceptable risk, etc.): + If you determine the alert should NOT be fixed: Do NOT dismiss the alert. Instead, open a GitHub issue with: - Title: "Security: Dismiss Dependabot alert # - " - Label: "Security" From c5b538965c5a5d38987eb47626e4c8d46a87b5e3 Mon Sep 17 00:00:00 2001 From: Nicolas Hrubec Date: Wed, 18 Feb 2026 16:07:34 +0100 Subject: [PATCH 06/11] add tools --- .github/workflows/fix-security-vulnerability.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/fix-security-vulnerability.yml b/.github/workflows/fix-security-vulnerability.yml index 9594d86ffa67..1ff86d89109b 100644 --- a/.github/workflows/fix-security-vulnerability.yml +++ b/.github/workflows/fix-security-vulnerability.yml @@ -46,4 +46,5 @@ jobs: - Label: "Security" - Body: Include the full vulnerability details, your analysis, the recommended dismissal reason, and why the alert cannot/should not be fixed. - claude_args: '--max-turns 20' + claude_args: | + --max-turns 20 --allowedTools "Bash(gh api *),Bash(gh pr create *),Bash(gh issue create *),Bash(yarn why *),Bash(yarn install*),Bash(yarn dedupe-deps:*),Bash(npm view *),Bash(git *)" From 22a9e393eee3ae35a4789ce70ebd5c5a0a9b5283 Mon Sep 17 00:00:00 2001 From: Nicolas Hrubec Date: Thu, 19 Feb 2026 11:44:49 +0100 Subject: [PATCH 07/11] restrict permissions --- .github/workflows/fix-security-vulnerability.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/fix-security-vulnerability.yml b/.github/workflows/fix-security-vulnerability.yml index 1ff86d89109b..d8c225b61ab4 100644 --- a/.github/workflows/fix-security-vulnerability.yml +++ b/.github/workflows/fix-security-vulnerability.yml @@ -37,7 +37,7 @@ jobs: IMPORTANT: Do NOT dismiss any alerts. Do NOT wait for approval. If you can fix the vulnerability: - Create a branch, apply the fix, and open a PR with your analysis + Create a branch named fix/security-, apply the fix, and open a PR with your analysis in the PR description. Target the develop branch. If you determine the alert should NOT be fixed: @@ -47,4 +47,4 @@ jobs: - Body: Include the full vulnerability details, your analysis, the recommended dismissal reason, and why the alert cannot/should not be fixed. claude_args: | - --max-turns 20 --allowedTools "Bash(gh api *),Bash(gh pr create *),Bash(gh issue create *),Bash(yarn why *),Bash(yarn install*),Bash(yarn dedupe-deps:*),Bash(npm view *),Bash(git *)" + --max-turns 20 --allowedTools "Bash(gh api *),Bash(gh pr create *),Bash(gh issue create *),Bash(yarn why *),Bash(yarn install*),Bash(yarn dedupe-deps:*),Bash(npm view *),Bash(git checkout *),Bash(git add *),Bash(git commit *)," From f7828b03cad328ecf944a9a5c6a097cd6c3c0682 Mon Sep 17 00:00:00 2001 From: Nicolas Hrubec Date: Thu, 19 Feb 2026 11:53:27 +0100 Subject: [PATCH 08/11] reduce permissions --- .github/workflows/fix-security-vulnerability.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/fix-security-vulnerability.yml b/.github/workflows/fix-security-vulnerability.yml index d8c225b61ab4..89edf6d22e08 100644 --- a/.github/workflows/fix-security-vulnerability.yml +++ b/.github/workflows/fix-security-vulnerability.yml @@ -47,4 +47,4 @@ jobs: - Body: Include the full vulnerability details, your analysis, the recommended dismissal reason, and why the alert cannot/should not be fixed. claude_args: | - --max-turns 20 --allowedTools "Bash(gh api *),Bash(gh pr create *),Bash(gh issue create *),Bash(yarn why *),Bash(yarn install*),Bash(yarn dedupe-deps:*),Bash(npm view *),Bash(git checkout *),Bash(git add *),Bash(git commit *)," + --max-turns 20 --allowedTools "Bash(gh api repos/getsentry/sentry-javascript/dependabot/alerts/*),Bash(gh pr create *),Bash(gh issue create *),Bash(yarn why *),Bash(yarn install*),Bash(yarn dedupe-deps:*),Bash(npm view *),Bash(git checkout *),Bash(git add *),Bash(git commit *)," From a00f7008a0c4099b8b15092b4ba87939f1cf684d Mon Sep 17 00:00:00 2001 From: Nicolas Hrubec Date: Thu, 19 Feb 2026 12:17:18 +0100 Subject: [PATCH 09/11] . --- .github/workflows/fix-security-vulnerability.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/fix-security-vulnerability.yml b/.github/workflows/fix-security-vulnerability.yml index 89edf6d22e08..e5d5655bdef0 100644 --- a/.github/workflows/fix-security-vulnerability.yml +++ b/.github/workflows/fix-security-vulnerability.yml @@ -18,6 +18,7 @@ concurrency: jobs: fix-vulnerability: runs-on: ubuntu-latest + environment: ci-triage permissions: contents: write pull-requests: write From 3d34fce1dd487845a1c3869da22cfdfbae03686b Mon Sep 17 00:00:00 2001 From: Nicolas Hrubec Date: Thu, 19 Feb 2026 13:22:11 +0100 Subject: [PATCH 10/11] only manual trigger --- .github/workflows/fix-security-vulnerability.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/fix-security-vulnerability.yml b/.github/workflows/fix-security-vulnerability.yml index e5d5655bdef0..77197ca98f89 100644 --- a/.github/workflows/fix-security-vulnerability.yml +++ b/.github/workflows/fix-security-vulnerability.yml @@ -1,8 +1,6 @@ name: Fix Security Vulnerability on: - dependabot_alert: - types: [created] workflow_dispatch: inputs: alert: @@ -12,7 +10,7 @@ on: required: true concurrency: - group: fix-security-vuln-${{ github.event.alert.number || github.event.inputs.alert }} + group: fix-security-vuln-${{ github.event.inputs.alert }} cancel-in-progress: false jobs: @@ -33,7 +31,7 @@ jobs: with: anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} prompt: | - /fix-security-vulnerability ${{ github.event.alert.number || github.event.inputs.alert }} + /fix-security-vulnerability ${{ github.event.inputs.alert }} IMPORTANT: Do NOT dismiss any alerts. Do NOT wait for approval. From 14f5ae287c84e2f305807e65f749b04c9c9f6d1d Mon Sep 17 00:00:00 2001 From: Nicolas Hrubec Date: Thu, 19 Feb 2026 13:31:21 +0100 Subject: [PATCH 11/11] edit write --- .github/workflows/fix-security-vulnerability.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/fix-security-vulnerability.yml b/.github/workflows/fix-security-vulnerability.yml index 77197ca98f89..8ddc8a9e8a16 100644 --- a/.github/workflows/fix-security-vulnerability.yml +++ b/.github/workflows/fix-security-vulnerability.yml @@ -46,4 +46,4 @@ jobs: - Body: Include the full vulnerability details, your analysis, the recommended dismissal reason, and why the alert cannot/should not be fixed. claude_args: | - --max-turns 20 --allowedTools "Bash(gh api repos/getsentry/sentry-javascript/dependabot/alerts/*),Bash(gh pr create *),Bash(gh issue create *),Bash(yarn why *),Bash(yarn install*),Bash(yarn dedupe-deps:*),Bash(npm view *),Bash(git checkout *),Bash(git add *),Bash(git commit *)," + --max-turns 20 --allowedTools "Bash(gh api repos/getsentry/sentry-javascript/dependabot/alerts/*),Bash(gh pr create *),Bash(gh issue create *),Bash(yarn why *),Bash(yarn install*),Bash(yarn dedupe-deps:*),Bash(npm view *),Bash(git checkout *),Bash(git add *),Bash(git commit *),Edit,Write"