Skip to content

ci: gate optional Claude and security-scan jobs behind repository variables#3901

Open
d-cs wants to merge 1 commit into
mainfrom
ci-gate-optional-jobs-via-repo-vars
Open

ci: gate optional Claude and security-scan jobs behind repository variables#3901
d-cs wants to merge 1 commit into
mainfrom
ci-gate-optional-jobs-via-repo-vars

Conversation

@d-cs

@d-cs d-cs commented Jun 11, 2026

Copy link
Copy Markdown
Collaborator

Summary

Add per-job if: gates so deployments that don't want — or can't run — these jobs can switch them off via repository variables, without editing workflows.

  • ENABLE_CLAUDE_CODE gates the Claude jobs: interactive @claude, the CLAUDE.md audit, and the REVIEW.md drift audit.
  • ENABLE_WORKFLOW_SECURITY_SCAN gates the Zizmor job, which uploads SARIF and so needs GitHub code scanning enabled.

Both default to enabled: a job runs unless its variable is explicitly set to 'false', so behaviour is unchanged anywhere the variables are unset. The sibling actionlint job and the report-only Trivy scan are untouched.

Test plan

  • actionlint clean on the four edited workflows
  • YAML parses for all four files

@d-cs
ci: gate optional Claude and security-scan jobs behind repository var…
d2696fd 
…iables

Add per-job `if:` gates so deployments that don't want or can't run these
jobs can switch them off without editing workflows:

- ENABLE_CLAUDE_CODE gates the Claude jobs (interactive @claude, the
  CLAUDE.md audit, and the REVIEW.md drift audit).
- ENABLE_WORKFLOW_SECURITY_SCAN gates the Zizmor job, which uploads SARIF
  and so needs GitHub code scanning enabled.

Both default to enabled: a job runs unless its variable is explicitly set
to 'false', so existing behaviour is unchanged where the variables are unset.
@changeset-bot

changeset-bot Bot commented Jun 11, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: d2696fd

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai

coderabbitai Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: a18e8118-9c80-480d-8ebf-db5c82c118c7

📥 Commits

Reviewing files that changed from the base of the PR and between 1c7e64a and d2696fd.

📒 Files selected for processing (4)
  • .github/workflows/check-review-md.yml
  • .github/workflows/claude-md-audit.yml
  • .github/workflows/claude.yml
  • .github/workflows/workflow-checks.yml
📜 Recent review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Analyze (javascript-typescript)
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2026-05-12T14:34:38.795Z 
Learnt from: ericallam
Repo: triggerdotdev/trigger.dev PR: 3561
File: .github/workflows/check-review-md.yml:3-10
Timestamp: 2026-05-12T14:34:38.795Z
Learning: In this repo’s `.github/workflows/check-review-md.yml`, the workflow is intentionally configured to run on *all* `pull_request` events (e.g., `opened`, `ready_for_review`, `synchronize`) and not only when `.claude/REVIEW.md` changes. The Claude Code audit compares each PR’s diff against `REVIEW.md` to detect contradictions and new undocumented patterns, so restricting the trigger to paths limited to `.claude/REVIEW.md` would undermine that coverage. Do not suggest narrowing the `pull_request` trigger to only REVIEW.md-related path changes.

Applied to files:

  • .github/workflows/check-review-md.yml
🔇 Additional comments (4)
.github/workflows/check-review-md.yml (1)

17-23: LGTM!

.github/workflows/claude-md-audit.yml (1)

18-23: LGTM!

.github/workflows/claude.yml (1)

15-24: LGTM!

.github/workflows/workflow-checks.yml (1)

39-43: LGTM!

Walkthrough

This PR adds repository variable guards to control the execution of GitHub Actions workflow jobs. The ENABLE_CLAUDE_CODE variable is added to three Claude Code-related workflows (check-review-md.yml, claude-md-audit.yml, and claude.yml) to skip those jobs when the variable is set to 'false'. A separate ENABLE_WORKFLOW_SECURITY_SCAN variable is added to the zizmor job in workflow-checks.yml for the same purpose. All guards follow the same pattern: jobs run by default unless the variable is explicitly set to 'false'.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Description check ❓ Inconclusive The description provides a comprehensive summary, test plan, and technical details, but does not follow the required template structure with sections like Checklist, Testing, Changelog, and Screenshots. Restructure the description to follow the repository's template: include the checklist, Testing section, and Changelog section in the required format.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely summarizes the main change: adding conditional gates for optional CI jobs using repository variables.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci-gate-optional-jobs-via-repo-vars

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@d-cs d-cs self-assigned this Jun 11, 2026
@d-cs d-cs marked this pull request as ready for review June 11, 2026 12:21
devin-ai-integration[bot]
devin-ai-integration Bot reviewed Jun 11, 2026
View reviewed changes

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

Open in Devin Review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

@ericallam ericallam ericallam approved these changes

@0ski 0ski 0ski approved these changes

Assignees

@d-cs d-cs

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@d-cs @ericallam @0ski