From c1aefde35f303a7996635619baca6bd9c34cd65d Mon Sep 17 00:00:00 2001 From: Mohanad Fteha Date: Mon, 4 May 2026 13:01:28 +0300 Subject: [PATCH 1/3] feat(ci): add security scan workflow for PRs Replace generic Claude code review with dedicated security review action scoped to security-sensitive paths (API routes, middleware, store, utils, config files). --- .github/workflows/claude-code-review.yml | 27 ++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .github/workflows/claude-code-review.yml diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml new file mode 100644 index 0000000..66eae30 --- /dev/null +++ b/.github/workflows/claude-code-review.yml @@ -0,0 +1,27 @@ +name: Security Scan + +on: + pull_request: + types: [opened, synchronize, reopened] + paths: + - "src/pages/api/**" + - "src/middleware/**" + - "src/store/**" + - "src/utils/**" + - "public/_headers" + - "wrangler.toml" + - "*.config.*" + +jobs: + security-scan: + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + issues: write + id-token: write + + steps: + - uses: anthropics/claude-code-security-review@v1 + with: + anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} From 898d8d50a856820ede925798029d88a6c66c3797 Mon Sep 17 00:00:00 2001 From: mohanadft Date: Mon, 4 May 2026 13:16:56 +0300 Subject: [PATCH 2/3] fix(ci): optimize security scan with cost controls and correct config Use correct input names, add Sonnet model, 10min timeout, directory exclusions, and required checkout step. --- .github/workflows/claude-code-review.yml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml index 66eae30..4522b5a 100644 --- a/.github/workflows/claude-code-review.yml +++ b/.github/workflows/claude-code-review.yml @@ -18,10 +18,17 @@ jobs: permissions: contents: read pull-requests: write - issues: write - id-token: write steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + fetch-depth: 2 + - uses: anthropics/claude-code-security-review@v1 with: - anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} + claude-api-key: ${{ secrets.ANTHROPIC_API_KEY }} + claude-model: claude-sonnet-4-6 + claudecode-timeout: 10 + exclude-directories: "node_modules,dist,.astro" + run-every-commit: false From ce1b21b5b36c77dfd1c2e10f53ba3a171e1eb1e7 Mon Sep 17 00:00:00 2001 From: mohanadft Date: Mon, 4 May 2026 13:27:18 +0300 Subject: [PATCH 3/3] fix(ci): trigger security scan on ready_for_review with concurrency control Only scan when PR is marked ready for review (requires write access), cancel redundant runs on the same PR. --- .github/workflows/claude-code-review.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml index 4522b5a..ffdb58a 100644 --- a/.github/workflows/claude-code-review.yml +++ b/.github/workflows/claude-code-review.yml @@ -2,7 +2,7 @@ name: Security Scan on: pull_request: - types: [opened, synchronize, reopened] + types: [ready_for_review] paths: - "src/pages/api/**" - "src/middleware/**" @@ -12,6 +12,10 @@ on: - "wrangler.toml" - "*.config.*" +concurrency: + group: security-scan-${{ github.event.pull_request.number }} + cancel-in-progress: true + jobs: security-scan: runs-on: ubuntu-latest