feat(ci): Add security vulnerability skill action (#19355)

nicohrubec · web-flow · commit 1b577c0b2bb2 · 2026-02-19T13:52:56.000+01:00
Closes #19368 (added automatically)
diff --git a/.github/workflows/fix-security-vulnerability.yml b/.github/workflows/fix-security-vulnerability.yml
@@ -0,0 +1,49 @@
+name: Fix Security Vulnerability
+
+on:
+  workflow_dispatch:
+    inputs:
+      alert:
+        description:
+          'Dependabot alert number or URL (e.g. 1046 or
+          https://github.com/getsentry/sentry-javascript/security/dependabot/1046)'
+        required: true
+
+concurrency:
+  group: fix-security-vuln-${{ github.event.inputs.alert }}
+  cancel-in-progress: false
+
+jobs:
+  fix-vulnerability:
+    runs-on: ubuntu-latest
+    environment: ci-triage
+    permissions:
+      contents: write
+      pull-requests: write
+      security-events: read
+      issues: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: develop
+
+      - uses: anthropics/claude-code-action@v1
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          prompt: |
+            /fix-security-vulnerability ${{ github.event.inputs.alert }}
+
+            IMPORTANT: Do NOT dismiss any alerts. Do NOT wait for approval.
+
+            If you can fix the vulnerability:
+              Create a branch named fix/security-<alert-number>, apply the fix, and open a PR with your analysis
+              in the PR description. Target the develop branch.
+
+            If you determine the alert should NOT be fixed:
+              Do NOT dismiss the alert. Instead, open a GitHub issue with:
+              - Title: "Security: Dismiss Dependabot alert #<number> - <package-name>"
+              - Label: "Security"
+              - Body: Include the full vulnerability details, your analysis,
+                the recommended dismissal reason, and why the alert cannot/should not be fixed.
+          claude_args: |
+            --max-turns 20 --allowedTools "Bash(gh api repos/getsentry/sentry-javascript/dependabot/alerts/*),Bash(gh pr create *),Bash(gh issue create *),Bash(yarn why *),Bash(yarn install*),Bash(yarn dedupe-deps:*),Bash(npm view *),Bash(git checkout *),Bash(git add *),Bash(git commit *),Edit,Write"
