Skip to content

Migrate to reusable caller template for security review #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Neil-Smithline merged 1 commit into from
Apr 21, 2026
Merged

Migrate to reusable caller template for security review #4

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 16 additions & 27 deletions .github/workflows/security-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,16 @@
# Claude Security Review
#
# Calls the org-wide reusable workflow from radius-workshop/.github.
#
# Requires the ANTHROPIC_API_KEY secret:
# - Public repos: automatically available via org secret
# - Private repos: add as a repo-level secret
# (Settings > Secrets and variables > Actions > New repository secret)
#
# Quick setup:
# mkdir -p .github/workflows && curl -o .github/workflows/security-review.yml \
# https://raw.githubusercontent.com/radius-workshop/.github/main/docs/security-review-caller.yml
#
# For full setup instructions, see:
# https://github.com/radius-workshop/.github/blob/main/docs/security-review-setup.md

Expand All @@ -14,37 +20,20 @@ on:
pull_request:
types: [opened, synchronize, reopened]

env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true

jobs:
security-review:
runs-on: ubuntu-latest
# Grant the writes the reusable workflow needs to post findings.
# Required because a reusable workflow cannot elevate beyond the
# caller's permissions, and GitHub's default GITHUB_TOKEN permissions
# are read-only on newer orgs/repos. Without this block the job is
# rejected before it starts.
permissions:
contents: read
pull-requests: write
issues: write
id-token: write
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0

- uses: actions/checkout@v6
with:
repository: radius-workshop/.github
path: .org-github
sparse-checkout: security

- uses: anthropics/claude-code-security-review@main
id: security-review
with:
claude-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
custom-security-scan-instructions: .org-github/security/custom-scan-instructions.txt
false-positive-filtering-instructions: .org-github/security/false-positive-filtering.txt

- name: Fail if vulnerabilities found
if: false # set to: steps.security-review.outputs.findings-count > 0
run: |
echo "Found ${{ steps.security-review.outputs.findings-count }} security findings"
exit 1
uses: radius-workshop/.github/.github/workflows/security-review.yml@main
with:
fail-on-findings: false # set to true to fail the build on findings
secrets:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
Loading