From d2696fd96f2a6e7cf6ed00d651e1a58fcc0477be Mon Sep 17 00:00:00 2001 From: Dan Sutton Date: Thu, 11 Jun 2026 12:59:03 +0100 Subject: [PATCH] ci: gate optional Claude and security-scan jobs behind repository variables Add per-job `if:` gates so deployments that don't want or can't run these jobs can switch them off without editing workflows: - ENABLE_CLAUDE_CODE gates the Claude jobs (interactive @claude, the CLAUDE.md audit, and the REVIEW.md drift audit). - ENABLE_WORKFLOW_SECURITY_SCAN gates the Zizmor job, which uploads SARIF and so needs GitHub code scanning enabled. Both default to enabled: a job runs unless its variable is explicitly set to 'false', so existing behaviour is unchanged where the variables are unset. --- .github/workflows/check-review-md.yml | 3 +++ .github/workflows/claude-md-audit.yml | 3 +++ .github/workflows/claude.yml | 13 +++++++++---- .github/workflows/workflow-checks.yml | 5 +++++ 4 files changed, 20 insertions(+), 4 deletions(-) diff --git a/.github/workflows/check-review-md.yml b/.github/workflows/check-review-md.yml index fb093ac9a1c..4efa5edfc32 100644 --- a/.github/workflows/check-review-md.yml +++ b/.github/workflows/check-review-md.yml @@ -14,7 +14,10 @@ concurrency: jobs: audit: + # Set the ENABLE_CLAUDE_CODE repository variable to 'false' to turn off Claude + # jobs; leave it unset (the default) to keep them enabled. if: >- + vars.ENABLE_CLAUDE_CODE != 'false' && github.event.pull_request.draft == false && github.event.pull_request.head.repo.full_name == github.repository runs-on: ubuntu-latest diff --git a/.github/workflows/claude-md-audit.yml b/.github/workflows/claude-md-audit.yml index 32240ba5ea8..e6d459fd9b3 100644 --- a/.github/workflows/claude-md-audit.yml +++ b/.github/workflows/claude-md-audit.yml @@ -15,7 +15,10 @@ concurrency: jobs: audit: + # Set the ENABLE_CLAUDE_CODE repository variable to 'false' to turn off Claude + # jobs; leave it unset (the default) to keep them enabled. if: >- + vars.ENABLE_CLAUDE_CODE != 'false' && github.event.pull_request.draft == false && github.event.pull_request.head.repo.full_name == github.repository runs-on: ubuntu-latest diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml index 1c783e7ef6d..6eb3ec9e860 100644 --- a/.github/workflows/claude.yml +++ b/.github/workflows/claude.yml @@ -12,11 +12,16 @@ on: jobs: claude: + # Set the ENABLE_CLAUDE_CODE repository variable to 'false' to turn off Claude + # jobs; leave it unset (the default) to keep them enabled. if: | - (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || - (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || - (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || - (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) + vars.ENABLE_CLAUDE_CODE != 'false' && + ( + (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || + (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || + (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || + (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) + ) runs-on: ubuntu-latest permissions: contents: write diff --git a/.github/workflows/workflow-checks.yml b/.github/workflows/workflow-checks.yml index a11918c04fe..e99a4d33427 100644 --- a/.github/workflows/workflow-checks.yml +++ b/.github/workflows/workflow-checks.yml @@ -36,6 +36,11 @@ jobs: zizmor: name: Zizmor + # Uploads SARIF to the Security tab, which requires GitHub code scanning to be + # enabled on the repository. Set the ENABLE_WORKFLOW_SECURITY_SCAN repository + # variable to 'false' to skip this job where code scanning isn't available; + # leave it unset (the default) to run the scan. + if: ${{ vars.ENABLE_WORKFLOW_SECURITY_SCAN != 'false' }} runs-on: ubuntu-latest permissions: security-events: write # Upload SARIF to GitHub Security tab