🔒 Comprehensive security hardening and improvements #6
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Claude Code Integration | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - staging | |
| - dev | |
| - test-* | |
| pull_request: | |
| branches: | |
| - main | |
| - staging | |
| - dev | |
| workflow_dispatch: | |
| inputs: | |
| task_type: | |
| description: 'Type of Claude Code task to run' | |
| required: true | |
| default: 'code-review' | |
| type: choice | |
| options: | |
| - code-review | |
| - security-analysis | |
| - code-optimization | |
| - testing-suggestions | |
| - documentation-review | |
| - custom-prompt | |
| custom_prompt: | |
| description: 'Custom prompt (only used if task_type is custom-prompt)' | |
| required: false | |
| default: '' | |
| target_files: | |
| description: 'Target files/directories (optional, defaults to changed files)' | |
| required: false | |
| default: '' | |
| max_tokens: | |
| description: 'Maximum tokens to use (safety limit)' | |
| required: false | |
| default: '10000' | |
| type: number | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| actions: read | |
| env: | |
| # Force Claude Sonnet 4 to avoid premium model usage | |
| CLAUDE_MODEL: claude-sonnet-4-20250514 | |
| # Usage limits for safety | |
| MAX_TOKENS_PER_RUN: 10000 | |
| MAX_FILES_PER_RUN: 50 | |
| jobs: | |
| claude-code-analysis: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Validate and Set Authentication | |
| id: auth | |
| run: | | |
| set -euo pipefail | |
| # Input validation for authentication | |
| if [ -n "${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}" ]; then | |
| # Basic OAuth token format validation (starts with 'sk-ant-') | |
| if [[ "${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}" =~ ^sk-ant-[a-zA-Z0-9_-]+$ ]]; then | |
| echo "✅ CLAUDE_CODE_OAUTH_TOKEN format is valid (primary)" | |
| echo "auth_method=oauth" >> $GITHUB_OUTPUT | |
| echo "auth_valid=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "⚠️ CLAUDE_CODE_OAUTH_TOKEN format appears invalid" | |
| echo "Expected format: sk-ant-[alphanumeric characters]" | |
| echo "auth_method=oauth" >> $GITHUB_OUTPUT | |
| echo "auth_valid=false" >> $GITHUB_OUTPUT | |
| fi | |
| elif [ -n "${{ secrets.ANTHROPIC_API_KEY }}" ]; then | |
| # Basic API key format validation | |
| if [[ "${{ secrets.ANTHROPIC_API_KEY }}" =~ ^sk-ant-[a-zA-Z0-9_-]+$ ]]; then | |
| echo "✅ ANTHROPIC_API_KEY format is valid (fallback)" | |
| echo "auth_method=api_key" >> $GITHUB_OUTPUT | |
| echo "auth_valid=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "⚠️ ANTHROPIC_API_KEY format appears invalid" | |
| echo "Expected format: sk-ant-[alphanumeric characters]" | |
| echo "auth_method=api_key" >> $GITHUB_OUTPUT | |
| echo "auth_valid=false" >> $GITHUB_OUTPUT | |
| fi | |
| else | |
| echo "❌ Authentication Setup Required" | |
| echo "Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secrets are configured" | |
| echo "" | |
| echo "🔧 Setup Instructions:" | |
| echo "1. Go to GitHub repository Settings → Secrets and variables → Actions" | |
| echo "2. Add one of these secrets:" | |
| echo " • CLAUDE_CODE_OAUTH_TOKEN (recommended) - Your Claude Code OAuth token" | |
| echo " • ANTHROPIC_API_KEY (fallback) - Your Anthropic API key" | |
| echo "3. Both should start with 'sk-ant-' followed by alphanumeric characters" | |
| echo "4. Get your token from: https://console.anthropic.com/" | |
| echo "" | |
| echo "auth_method=none" >> $GITHUB_OUTPUT | |
| echo "auth_valid=false" >> $GITHUB_OUTPUT | |
| exit 1 | |
| fi | |
| - name: Validate Input Parameters | |
| id: validate | |
| run: | | |
| set -euo pipefail | |
| # Validate max_tokens input | |
| MAX_TOKENS="${{ github.event.inputs.max_tokens || env.MAX_TOKENS_PER_RUN }}" | |
| if [[ ! "$MAX_TOKENS" =~ ^[0-9]+$ ]] || [ "$MAX_TOKENS" -lt 1 ] || [ "$MAX_TOKENS" -gt 50000 ]; then | |
| echo "❌ Invalid max_tokens value: $MAX_TOKENS" | |
| echo "Must be a number between 1 and 50000" | |
| exit 1 | |
| fi | |
| echo "max_tokens_validated=$MAX_TOKENS" >> $GITHUB_OUTPUT | |
| # Validate task_type | |
| TASK_TYPE="${{ github.event.inputs.task_type || 'code-review' }}" | |
| case "$TASK_TYPE" in | |
| code-review|security-analysis|code-optimization|testing-suggestions|documentation-review|custom-prompt) | |
| echo "task_type_validated=$TASK_TYPE" >> $GITHUB_OUTPUT | |
| ;; | |
| *) | |
| echo "❌ Invalid task_type: $TASK_TYPE" | |
| echo "Must be one of: code-review, security-analysis, code-optimization, testing-suggestions, documentation-review, custom-prompt" | |
| exit 1 | |
| ;; | |
| esac | |
| # Validate custom_prompt if task_type is custom-prompt | |
| if [ "$TASK_TYPE" = "custom-prompt" ]; then | |
| CUSTOM_PROMPT="${{ github.event.inputs.custom_prompt }}" | |
| if [ -z "$CUSTOM_PROMPT" ]; then | |
| echo "❌ custom_prompt is required when task_type is 'custom-prompt'" | |
| exit 1 | |
| fi | |
| # Sanitize custom prompt (remove potentially dangerous characters) | |
| SANITIZED_PROMPT=$(echo "$CUSTOM_PROMPT" | tr -d '`$(){}[]|;&<>' | head -c 2000) | |
| echo "custom_prompt_validated=$SANITIZED_PROMPT" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Install Claude Code CLI | |
| run: | | |
| set -euo pipefail | |
| echo "Installing Claude Code CLI..." | |
| # Use specific npm version for reproducibility | |
| npm install -g @anthropic-ai/claude-code@latest | |
| # Verify installation | |
| if ! command -v claude &> /dev/null; then | |
| echo "❌ Claude CLI installation failed" | |
| echo "Troubleshooting:" | |
| echo "1. Check npm installation: npm --version" | |
| echo "2. Check global packages: npm list -g --depth=0" | |
| echo "3. Check PATH: echo \$PATH" | |
| exit 1 | |
| fi | |
| echo "✅ Claude CLI installed successfully" | |
| - name: Verify Claude Code Installation | |
| run: | | |
| set -euo pipefail | |
| # Test Claude CLI | |
| if claude --version; then | |
| echo "✅ Claude CLI is working" | |
| else | |
| echo "❌ Claude CLI verification failed" | |
| echo "Troubleshooting:" | |
| echo "1. Try reinstalling: npm uninstall -g @anthropic-ai/claude-code && npm install -g @anthropic-ai/claude-code" | |
| echo "2. Check permissions: ls -la \$(which claude)" | |
| echo "3. Try running with full path: \$(npm root -g)/@anthropic-ai/claude-code/bin/claude --version" | |
| exit 1 | |
| fi | |
| - name: Determine and Validate Changed Files | |
| if: github.event_name == 'pull_request' | |
| id: changed-files | |
| run: | | |
| set -euo pipefail | |
| # Securely get changed files using git diff | |
| BASE_SHA="${{ github.event.pull_request.base.sha }}" | |
| HEAD_SHA="${{ github.event.pull_request.head.sha }}" | |
| # Validate SHA format | |
| if [[ ! "$BASE_SHA" =~ ^[a-f0-9]{40}$ ]] || [[ ! "$HEAD_SHA" =~ ^[a-f0-9]{40}$ ]]; then | |
| echo "❌ Invalid SHA format detected" | |
| echo "BASE_SHA: $BASE_SHA" | |
| echo "HEAD_SHA: $HEAD_SHA" | |
| exit 1 | |
| fi | |
| echo "Detecting changed files between $BASE_SHA and $HEAD_SHA..." | |
| # Use git diff with explicit SHA validation | |
| git diff --name-only "$BASE_SHA" "$HEAD_SHA" > changed_files_raw.txt || { | |
| echo "❌ Failed to get changed files" | |
| echo "Troubleshooting:" | |
| echo "1. Check if SHAs exist: git cat-file -e $BASE_SHA && git cat-file -e $HEAD_SHA" | |
| echo "2. Check git status: git status" | |
| echo "3. Check fetch depth: git log --oneline -5" | |
| exit 1 | |
| } | |
| # Filter for code files only with safe patterns | |
| grep -E '\.(py|js|ts|jsx|tsx|java|cpp|c|h|go|rs|rb|php|cs|swift|kt|scala|clj|ml|hs|r|sql|sh|yaml|yml|json|md)$' changed_files_raw.txt > code_files.txt || { | |
| echo "No code files found in changes" | |
| touch code_files.txt | |
| } | |
| # Validate and sanitize file paths | |
| > safe_code_files.txt | |
| while IFS= read -r file; do | |
| # Skip files with dangerous patterns | |
| if [[ "$file" =~ ^[a-zA-Z0-9._/-]+$ ]] && [[ ! "$file" =~ \.\./|\$|\`|\| ]]; then | |
| if [ -f "$file" ]; then | |
| echo "$file" >> safe_code_files.txt | |
| else | |
| echo "⚠️ Skipping non-existent file: $file" | |
| fi | |
| else | |
| echo "⚠️ Skipping file with unsafe name: $file" | |
| fi | |
| done < code_files.txt | |
| mv safe_code_files.txt code_files.txt | |
| file_count=$(wc -l < code_files.txt) | |
| echo "Found $file_count changed code files" | |
| # Apply file count limit | |
| if [ "$file_count" -gt "$MAX_FILES_PER_RUN" ]; then | |
| echo "⚠️ Too many files changed ($file_count > $MAX_FILES_PER_RUN)" | |
| echo "Limiting to first $MAX_FILES_PER_RUN files for safety" | |
| head -n "$MAX_FILES_PER_RUN" code_files.txt > limited_files.txt | |
| mv limited_files.txt code_files.txt | |
| file_count="$MAX_FILES_PER_RUN" | |
| fi | |
| echo "files_count=$file_count" >> $GITHUB_OUTPUT | |
| # Show files being analyzed | |
| echo "Files to be analyzed:" | |
| cat code_files.txt | |
| - name: Determine and Validate Target Files (Manual) | |
| if: github.event_name == 'workflow_dispatch' && github.event.inputs.target_files != '' | |
| run: | | |
| set -euo pipefail | |
| echo "Processing manually specified target files..." | |
| # Sanitize and validate target files input | |
| TARGET_FILES="${{ github.event.inputs.target_files }}" | |
| # Remove dangerous characters and split by comma | |
| SANITIZED_FILES=$(echo "$TARGET_FILES" | tr -d '`$(){}[]|;&<>' | tr ',' '\n') | |
| > code_files.txt | |
| while IFS= read -r file; do | |
| # Trim whitespace | |
| file=$(echo "$file" | xargs) | |
| # Skip empty lines | |
| [ -z "$file" ] && continue | |
| # Validate file path format | |
| if [[ "$file" =~ ^[a-zA-Z0-9._/-]+$ ]] && [[ ! "$file" =~ \.\./|\$|\`|\| ]]; then | |
| if [ -f "$file" ]; then | |
| echo "$file" >> code_files.txt | |
| else | |
| echo "⚠️ Skipping non-existent file: $file" | |
| fi | |
| else | |
| echo "⚠️ Skipping file with unsafe name: $file" | |
| fi | |
| done <<< "$SANITIZED_FILES" | |
| file_count=$(wc -l < code_files.txt) | |
| echo "Validated $file_count target files" | |
| if [ "$file_count" -eq 0 ]; then | |
| echo "❌ No valid target files found" | |
| exit 1 | |
| fi | |
| - name: Default to Safe Code Files (Push) | |
| if: github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && github.event.inputs.target_files == '') | |
| run: | | |
| set -euo pipefail | |
| echo "Finding all code files in repository..." | |
| # Safely find code files with controlled patterns | |
| find . -type f \( \ | |
| -name "*.py" -o -name "*.js" -o -name "*.ts" -o -name "*.jsx" -o -name "*.tsx" -o \ | |
| -name "*.java" -o -name "*.cpp" -o -name "*.c" -o -name "*.h" -o -name "*.go" -o \ | |
| -name "*.rs" -o -name "*.rb" -o -name "*.php" -o -name "*.cs" -o -name "*.swift" -o \ | |
| -name "*.kt" -o -name "*.scala" -o -name "*.clj" -o -name "*.ml" -o -name "*.hs" -o \ | |
| -name "*.r" -o -name "*.sql" -o -name "*.sh" -o -name "*.yaml" -o -name "*.yml" -o \ | |
| -name "*.json" -o -name "*.md" -o -name "Dockerfile*" \ | |
| \) \ | |
| -not -path "./.git/*" \ | |
| -not -path "./node_modules/*" \ | |
| -not -path "./.venv/*" \ | |
| -not -path "./venv/*" \ | |
| -not -path "./__pycache__/*" \ | |
| -not -path "./dist/*" \ | |
| -not -path "./build/*" \ | |
| -not -path "./.github/*" \ | |
| -print0 | head -z -n "$MAX_FILES_PER_RUN" | tr '\0' '\n' | grep -v '^$' > code_files.txt | |
| file_count=$(wc -l < code_files.txt) | |
| echo "Found $file_count code files (limited to $MAX_FILES_PER_RUN)" | |
| if [ "$file_count" -eq 0 ]; then | |
| echo "❌ No code files found in repository" | |
| exit 1 | |
| fi | |
| - name: Create Analysis Function | |
| run: | | |
| set -euo pipefail | |
| # Create a reusable analysis function | |
| cat > analyze_code.sh << 'EOF' | |
| #!/bin/bash | |
| set -euo pipefail | |
| PROMPT_FILE="$1" | |
| OUTPUT_FILE="$2" | |
| # Validate inputs | |
| if [ ! -f "$PROMPT_FILE" ]; then | |
| echo "❌ Prompt file not found: $PROMPT_FILE" | |
| exit 1 | |
| fi | |
| if [ ! -f "code_files.txt" ]; then | |
| echo "❌ Code files list not found" | |
| exit 1 | |
| fi | |
| # Create combined prompt with file contents | |
| echo "# Files to analyze:" > combined_prompt.txt | |
| echo "" >> combined_prompt.txt | |
| file_count=0 | |
| while IFS= read -r file; do | |
| # Double-check file existence and safety | |
| if [ -f "$file" ] && [[ "$file" =~ ^[a-zA-Z0-9._/-]+$ ]]; then | |
| echo "## File: $file" >> combined_prompt.txt | |
| echo "\`\`\`" >> combined_prompt.txt | |
| # Safely read file content with size limit | |
| if [ -s "$file" ]; then | |
| # Limit file size to prevent huge prompts (max 10KB per file) | |
| head -c 10240 "$file" >> combined_prompt.txt | |
| fi | |
| echo "" >> combined_prompt.txt | |
| echo "\`\`\`" >> combined_prompt.txt | |
| echo "" >> combined_prompt.txt | |
| file_count=$((file_count + 1)) | |
| else | |
| echo "⚠️ Skipping invalid file: $file" | |
| fi | |
| done < code_files.txt | |
| if [ "$file_count" -eq 0 ]; then | |
| echo "❌ No valid files to analyze" | |
| exit 1 | |
| fi | |
| echo "# Analysis Request:" >> combined_prompt.txt | |
| echo "" >> combined_prompt.txt | |
| cat "$PROMPT_FILE" >> combined_prompt.txt | |
| # Run Claude analysis with timeout | |
| echo "Running Claude analysis on $file_count files..." | |
| timeout 300 claude --model "$CLAUDE_MODEL" -p "$(cat combined_prompt.txt)" > "$OUTPUT_FILE" 2>&1 || { | |
| echo "❌ Claude analysis failed or timed out" | |
| echo "Troubleshooting:" | |
| echo "1. Check authentication: claude --version" | |
| echo "2. Check model availability: $CLAUDE_MODEL" | |
| echo "3. Check prompt size: wc -c combined_prompt.txt" | |
| echo "4. Check network connectivity" | |
| exit 1 | |
| } | |
| # Validate output | |
| if [ ! -s "$OUTPUT_FILE" ]; then | |
| echo "❌ Analysis produced no output" | |
| exit 1 | |
| fi | |
| echo "✅ Analysis completed successfully" | |
| EOF | |
| chmod +x analyze_code.sh | |
| - name: Run Code Review Analysis | |
| if: steps.validate.outputs.task_type_validated == 'code-review' || github.event_name != 'workflow_dispatch' | |
| env: | |
| CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | |
| ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} | |
| run: | | |
| set -euo pipefail | |
| echo "🔍 Running code review analysis with Claude Sonnet 4..." | |
| # Create analysis prompt | |
| cat > analysis_prompt.txt << 'EOF' | |
| Please perform a comprehensive code review of the provided files. Focus on: | |
| 1. **Security Issues**: Identify potential vulnerabilities, insecure patterns, or data exposure risks | |
| 2. **Code Quality**: Review for maintainability, readability, and best practices | |
| 3. **Performance**: Highlight potential performance bottlenecks or inefficiencies | |
| 4. **Bug Detection**: Identify logical errors, edge cases, or potential runtime issues | |
| 5. **Architecture**: Comment on code structure, patterns, and design decisions | |
| For each issue found, provide: | |
| - Severity level (Critical/High/Medium/Low) | |
| - Specific file and line reference | |
| - Clear explanation of the issue | |
| - Recommended fix or improvement | |
| Be concise but thorough. Focus on actionable feedback. | |
| EOF | |
| # Run analysis using the secure function | |
| ./analyze_code.sh analysis_prompt.txt analysis_result.md | |
| echo "✅ Code review analysis completed" | |
| - name: Run Security Analysis | |
| if: steps.validate.outputs.task_type_validated == 'security-analysis' | |
| env: | |
| CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | |
| ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} | |
| run: | | |
| set -euo pipefail | |
| echo "🔒 Running security analysis with Claude Sonnet 4..." | |
| cat > security_prompt.txt << 'EOF' | |
| Please perform a thorough security analysis of the provided code. Focus on: | |
| 1. **Vulnerability Detection**: SQL injection, XSS, CSRF, authentication bypass, etc. | |
| 2. **Data Protection**: Sensitive data handling, encryption, secure storage | |
| 3. **Access Control**: Authorization, privilege escalation, insecure defaults | |
| 4. **Input Validation**: Unvalidated inputs, injection attacks, data sanitization | |
| 5. **Dependencies**: Known vulnerabilities in third-party libraries | |
| 6. **Configuration Security**: Hardcoded secrets, insecure configurations | |
| For each security issue: | |
| - Provide OWASP category if applicable | |
| - Rate severity (Critical/High/Medium/Low) | |
| - Give specific remediation steps | |
| - Include secure code examples where helpful | |
| EOF | |
| ./analyze_code.sh security_prompt.txt analysis_result.md | |
| echo "✅ Security analysis completed" | |
| - name: Run Code Optimization Analysis | |
| if: steps.validate.outputs.task_type_validated == 'code-optimization' | |
| env: | |
| CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | |
| ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} | |
| run: | | |
| set -euo pipefail | |
| echo "⚡ Running code optimization analysis with Claude Sonnet 4..." | |
| cat > optimization_prompt.txt << 'EOF' | |
| Please analyze the code for optimization opportunities. Focus on: | |
| 1. **Performance**: Algorithmic complexity, inefficient loops, redundant operations | |
| 2. **Memory Usage**: Memory leaks, unnecessary allocations, caching opportunities | |
| 3. **Database**: Query optimization, N+1 problems, indexing suggestions | |
| 4. **Network**: API efficiency, request batching, caching strategies | |
| 5. **Code Structure**: Refactoring opportunities, design pattern improvements | |
| 6. **Resource Management**: File handling, connection pooling, cleanup | |
| For each optimization: | |
| - Estimate performance impact | |
| - Provide before/after code examples | |
| - Explain the optimization technique | |
| - Consider trade-offs and side effects | |
| EOF | |
| ./analyze_code.sh optimization_prompt.txt analysis_result.md | |
| echo "✅ Code optimization analysis completed" | |
| - name: Run Testing Suggestions | |
| if: steps.validate.outputs.task_type_validated == 'testing-suggestions' | |
| env: | |
| CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | |
| ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} | |
| run: | | |
| set -euo pipefail | |
| echo "🧪 Running testing suggestions analysis with Claude Sonnet 4..." | |
| cat > testing_prompt.txt << 'EOF' | |
| Please analyze the code and provide comprehensive testing recommendations: | |
| 1. **Test Coverage**: Identify untested or poorly tested code paths | |
| 2. **Unit Tests**: Suggest specific unit tests for functions and methods | |
| 3. **Integration Tests**: Recommend integration test scenarios | |
| 4. **Edge Cases**: Highlight edge cases that need testing | |
| 5. **Mock Strategy**: Suggest what to mock and testing patterns | |
| 6. **Test Data**: Recommend test data structures and fixtures | |
| For each suggestion: | |
| - Provide test case examples | |
| - Explain the testing rationale | |
| - Suggest appropriate testing frameworks | |
| - Include test assertions and expected outcomes | |
| EOF | |
| ./analyze_code.sh testing_prompt.txt analysis_result.md | |
| echo "✅ Testing suggestions analysis completed" | |
| - name: Run Documentation Review | |
| if: steps.validate.outputs.task_type_validated == 'documentation-review' | |
| env: | |
| CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | |
| ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} | |
| run: | | |
| set -euo pipefail | |
| echo "📝 Running documentation review with Claude Sonnet 4..." | |
| cat > documentation_prompt.txt << 'EOF' | |
| Please review and improve the documentation in the provided code: | |
| 1. **Code Comments**: Evaluate existing comments for clarity and completeness | |
| 2. **Function Documentation**: Check docstrings, parameter descriptions, return values | |
| 3. **API Documentation**: Review API endpoints, request/response formats | |
| 4. **README Files**: Assess setup instructions, usage examples, troubleshooting | |
| 5. **Architecture Documentation**: Review system design explanations | |
| 6. **Missing Documentation**: Identify areas that need documentation | |
| For each documentation issue: | |
| - Provide improved documentation examples | |
| - Suggest documentation standards to follow | |
| - Highlight critical missing documentation | |
| - Recommend documentation tools or formats | |
| EOF | |
| ./analyze_code.sh documentation_prompt.txt analysis_result.md | |
| echo "✅ Documentation review completed" | |
| - name: Run Custom Prompt Analysis | |
| if: steps.validate.outputs.task_type_validated == 'custom-prompt' | |
| env: | |
| CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | |
| ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} | |
| run: | | |
| set -euo pipefail | |
| echo "🎯 Running custom prompt analysis with Claude Sonnet 4..." | |
| # Use the validated and sanitized custom prompt | |
| echo "${{ steps.validate.outputs.custom_prompt_validated }}" > custom_prompt.txt | |
| ./analyze_code.sh custom_prompt.txt analysis_result.md | |
| echo "✅ Custom prompt analysis completed" | |
| - name: Process Analysis Results | |
| if: always() | |
| run: | | |
| set -euo pipefail | |
| if [ -f analysis_result.md ]; then | |
| echo "📊 Analysis Results Summary:" | |
| echo "==========================" | |
| head -n 50 analysis_result.md | |
| echo "==========================" | |
| echo "Full results available in workflow artifacts" | |
| # Add workflow run info with safe variable handling | |
| echo "" >> analysis_result.md | |
| echo "---" >> analysis_result.md | |
| echo "" >> analysis_result.md | |
| echo "## Analysis Metadata" >> analysis_result.md | |
| echo "" >> analysis_result.md | |
| echo "- **Model Used**: $CLAUDE_MODEL (Premium models excluded)" >> analysis_result.md | |
| echo "- **Workflow**: ${{ github.workflow }}" >> analysis_result.md | |
| echo "- **Run ID**: ${{ github.run_id }}" >> analysis_result.md | |
| echo "- **Trigger**: ${{ github.event_name }}" >> analysis_result.md | |
| echo "- **Repository**: ${{ github.repository }}" >> analysis_result.md | |
| echo "- **Branch**: ${{ github.ref_name }}" >> analysis_result.md | |
| echo "- **Commit**: ${{ github.sha }}" >> analysis_result.md | |
| # Safe file count with error handling | |
| if [ -f code_files.txt ]; then | |
| file_count=$(wc -l < code_files.txt) | |
| echo "- **Files Analyzed**: $file_count files" >> analysis_result.md | |
| else | |
| echo "- **Files Analyzed**: 0 files" >> analysis_result.md | |
| fi | |
| echo "- **Max Tokens Used**: ${{ steps.validate.outputs.max_tokens_validated }}" >> analysis_result.md | |
| echo "- **Auth Method**: ${{ steps.auth.outputs.auth_method }}" >> analysis_result.md | |
| echo "- **Auth Valid**: ${{ steps.auth.outputs.auth_valid }}" >> analysis_result.md | |
| else | |
| echo "❌ No analysis results generated" | |
| echo "Troubleshooting:" | |
| echo "1. Check if analysis step ran successfully" | |
| echo "2. Check authentication configuration" | |
| echo "3. Check Claude CLI installation" | |
| echo "4. Check if files were found to analyze" | |
| echo "5. Check workflow logs for specific error messages" | |
| exit 1 | |
| fi | |
| - name: Upload Analysis Results | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: claude-analysis-results-${{ github.run_id }} | |
| path: | | |
| analysis_result.md | |
| code_files.txt | |
| combined_prompt.txt | |
| *.txt | |
| retention-days: 30 | |
| - name: Comment on PR (if applicable) | |
| if: github.event_name == 'pull_request' && success() | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const fs = require('fs'); | |
| if (fs.existsSync('analysis_result.md')) { | |
| const analysis = fs.readFileSync('analysis_result.md', 'utf8'); | |
| // Sanitize content for PR comment | |
| const sanitizedAnalysis = analysis | |
| .replace(/[`${}]/g, '') // Remove potentially dangerous characters | |
| .substring(0, 32000); // Limit length | |
| const header = `## 🤖 Claude Code Analysis Results\n\n` + | |
| `> **Model Used**: \`${{ env.CLAUDE_MODEL }}\` (Premium models excluded)\n` + | |
| `> **Analysis Type**: \`${{ steps.validate.outputs.task_type_validated }}\`\n` + | |
| `> **Auth Method**: \`${{ steps.auth.outputs.auth_method }}\`\n\n`; | |
| const footer = analysis.length > 32000 ? | |
| '\n\n... (truncated - see workflow artifacts for full results)' : ''; | |
| await github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: header + sanitizedAnalysis + footer | |
| }); | |
| } | |
| - name: Usage Monitoring and Security Report | |
| if: always() | |
| run: | | |
| set -euo pipefail | |
| echo "📈 Usage Monitoring and Security Report:" | |
| echo "=======================================" | |
| echo "Model: $CLAUDE_MODEL" | |
| echo "Max Tokens: ${{ steps.validate.outputs.max_tokens_validated }}" | |
| echo "Auth Method: ${{ steps.auth.outputs.auth_method }}" | |
| echo "Auth Valid: ${{ steps.auth.outputs.auth_valid }}" | |
| echo "Task Type: ${{ steps.validate.outputs.task_type_validated }}" | |
| echo "Trigger: ${{ github.event_name }}" | |
| echo "Repository: ${{ github.repository }}" | |
| echo "Branch: ${{ github.ref_name }}" | |
| # Safe file count | |
| if [ -f code_files.txt ]; then | |
| file_count=$(wc -l < code_files.txt) | |
| echo "Files Processed: $file_count" | |
| else | |
| echo "Files Processed: 0" | |
| fi | |
| # Security validations performed | |
| echo "" | |
| echo "🔒 Security Validations Performed:" | |
| echo "- Input validation: ✅" | |
| echo "- File path sanitization: ✅" | |
| echo "- Command injection prevention: ✅" | |
| echo "- Token format validation: ✅" | |
| echo "- File size limits: ✅" | |
| echo "- Timeout protection: ✅" | |
| echo "- Output sanitization: ✅" | |
| echo "=======================================" | |
| # Log for monitoring and cost tracking | |
| echo "Usage logged for monitoring, security, and cost tracking" |