mirror of
https://github.com/anthropics/claude-code-action.git
synced 2026-01-22 22:44:13 +08:00
a86ef08036
Fixes command injection vulnerabilities in example workflow files by using environment variables instead of direct template expansion in shell commands. This prevents malicious branch names containing command substitution syntax like $(cmd) from being executed by the shell. Files fixed: - examples/ci-failure-auto-fix.yml: github.event.workflow_run.head_branch - examples/test-failure-analysis.yml: github.event.workflow_run.name and head_branch
101 lines
3.4 KiB
YAML
101 lines
3.4 KiB
YAML
name: Auto Fix CI Failures
|
|
|
|
on:
|
|
workflow_run:
|
|
workflows: ["CI"]
|
|
types:
|
|
- completed
|
|
|
|
permissions:
|
|
contents: write
|
|
pull-requests: write
|
|
actions: read
|
|
issues: write
|
|
id-token: write # Required for OIDC token exchange
|
|
|
|
jobs:
|
|
auto-fix:
|
|
if: |
|
|
github.event.workflow_run.conclusion == 'failure' &&
|
|
github.event.workflow_run.pull_requests[0] &&
|
|
!startsWith(github.event.workflow_run.head_branch, 'claude-auto-fix-ci-')
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v5
|
|
with:
|
|
ref: ${{ github.event.workflow_run.head_branch }}
|
|
fetch-depth: 0
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Setup git identity
|
|
run: |
|
|
git config --global user.email "claude[bot]@users.noreply.github.com"
|
|
git config --global user.name "claude[bot]"
|
|
|
|
- name: Create fix branch
|
|
id: branch
|
|
env:
|
|
SOURCE_BRANCH: ${{ github.event.workflow_run.head_branch }}
|
|
RUN_ID: ${{ github.run_id }}
|
|
run: |
|
|
BRANCH_NAME="claude-auto-fix-ci-${SOURCE_BRANCH}-${RUN_ID}"
|
|
git checkout -b "$BRANCH_NAME"
|
|
echo "branch_name=$BRANCH_NAME" >> $GITHUB_OUTPUT
|
|
|
|
- name: Get CI failure details
|
|
id: failure_details
|
|
uses: actions/github-script@v7
|
|
with:
|
|
script: |
|
|
const run = await github.rest.actions.getWorkflowRun({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
run_id: ${{ github.event.workflow_run.id }}
|
|
});
|
|
|
|
const jobs = await github.rest.actions.listJobsForWorkflowRun({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
run_id: ${{ github.event.workflow_run.id }}
|
|
});
|
|
|
|
const failedJobs = jobs.data.jobs.filter(job => job.conclusion === 'failure');
|
|
|
|
let errorLogs = [];
|
|
for (const job of failedJobs) {
|
|
const logs = await github.rest.actions.downloadJobLogsForWorkflowRun({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
job_id: job.id
|
|
});
|
|
errorLogs.push({
|
|
jobName: job.name,
|
|
logs: logs.data
|
|
});
|
|
}
|
|
|
|
return {
|
|
runUrl: run.data.html_url,
|
|
failedJobs: failedJobs.map(j => j.name),
|
|
errorLogs: errorLogs
|
|
};
|
|
|
|
- name: Fix CI failures with Claude
|
|
id: claude
|
|
uses: anthropics/claude-code-action@v1
|
|
with:
|
|
prompt: |
|
|
/fix-ci
|
|
Failed CI Run: ${{ fromJSON(steps.failure_details.outputs.result).runUrl }}
|
|
Failed Jobs: ${{ join(fromJSON(steps.failure_details.outputs.result).failedJobs, ', ') }}
|
|
PR Number: ${{ github.event.workflow_run.pull_requests[0].number }}
|
|
Branch Name: ${{ steps.branch.outputs.branch_name }}
|
|
Base Branch: ${{ github.event.workflow_run.head_branch }}
|
|
Repository: ${{ github.repository }}
|
|
|
|
Error logs:
|
|
${{ toJSON(fromJSON(steps.failure_details.outputs.result).errorLogs) }}
|
|
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
|
|
claude_args: "--allowedTools 'Edit,MultiEdit,Write,Read,Glob,Grep,LS,Bash(git:*),Bash(bun:*),Bash(npm:*),Bash(npx:*),Bash(gh:*)'"
|