ci: add claude code code review
Adds a CI step to the Cirrus CI which will run claude code on the diff of a Pull Request and fail if it finds critical security vulnerabilities or serious code issues. Optinally it can be given a GitHub api key to create a comment in the pull request.
This commit is contained in:
f321x
+23
@@ -243,6 +243,29 @@ task:
|
||||
main_script:
|
||||
- contrib/ban_unicode.py
|
||||
|
||||
task:
|
||||
name: "security review: Claude Code"
|
||||
# NOTE: claude has access to all API keys available in the Cirrus CI environment.
|
||||
# If we would add some critical api keys in here we should consider this.
|
||||
matrix:
|
||||
- trigger_type: automatic
|
||||
only_if: $CIRRUS_PR != '' && ($CIRRUS_USER_PERMISSION == 'write' || $CIRRUS_USER_PERMISSION == 'admin')
|
||||
- trigger_type: manual
|
||||
only_if: $CIRRUS_PR != ''
|
||||
container:
|
||||
image: node:20
|
||||
cpu: 1
|
||||
memory: 2G
|
||||
# CLAUDE_CODE_OAUTH_TOKEN is set as an encrypted "override" in https://cirrus-ci.com/settings/...
|
||||
# It must be stored encrypted (ENCRYPTED[...]) so Cirrus CI refuses to decrypt it for
|
||||
# fork PRs from users without write permission.
|
||||
# Generate with: claude setup-token
|
||||
# Optional: set GITHUB_TOKEN to enable PR comments on failure
|
||||
install_script:
|
||||
- npm install -g @anthropic-ai/claude-code
|
||||
review_script:
|
||||
- python3 contrib/ci/claude_security_review.py
|
||||
|
||||
# Cron jobs configured in https://cirrus-ci.com/settings/...
|
||||
# - job "nightly" on branch "master" at "0 30 2 * * ?" (every day at 02:30Z)
|
||||
task:
|
||||
|
||||
Reference in New Issue
Block a user