The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
cli-web-cli	Ready	Preview, Comment	Apr 15, 2026 10:41am

Walkthrough: This PR extends the existing Dependabot lockfile-regeneration workflow to also handle build and lint failures after a dependency bump. When pnpm run build or pnpm exec eslint . fails, the workflow now invokes anthropics/claude-code-action@v1 to diagnose and fix the issue automatically, then commit+push back to the branch.

Changes:

• .github/workflows/dependabot-lockfile.yml: Renamed workflow to 'Fix Dependabot PRs', renamed job to fix-dependabot, increased timeout from 10 to 15 min, bumped pull-requests permission to write, refactored lockfile commit step to use step output, added build and lint steps with continue-on-error, added Claude Code action step that fires when either build or lint fails.

Review Notes:

• Permissions escalation: pull-requests bumped from read to write (needed for Claude to post a comment on complex failures; confirm acceptable for pull_request_target trigger)
• New secret dependency: requires ANTHROPIC_API_KEY in repo/org secrets - silently fails if absent
• External action on pull_request_target: claude-code-action@v1 runs with base-repo write credentials - consider pinning to a commit SHA instead of v1 tag for supply-chain safety
• Allowed tools scope: Claude is constrained to Bash,Read,Write,Edit,Glob,Grep with --max-turns 30 - reasonable sandbox but does permit arbitrary Bash execution
• No new test coverage: pure CI workflow change, no application code modified

Review Summary

This PR extends the Dependabot lockfile workflow to invoke Claude when build/lint fails after a dependency bump. The idea is sound, but there are two bugs that together mean the auto-fix feature will never work correctly as written.

Bug 1 — Shell substitution in direct_prompt is never expanded (critical)

Lines 86 and 89:

$(cat /tmp/build-output.txt 2>/dev/null || echo "Build succeeded")
$(cat /tmp/lint-output.txt 2>/dev/null || echo "Lint succeeded")

$() shell command substitution only works inside run: steps. GitHub Actions does not perform shell expansion on with: input values — only ${{ }} expressions are evaluated at the workflow level. Claude's prompt will literally contain the text $(cat /tmp/build-output.txt 2>/dev/null || echo "Build succeeded") rather than the actual error output. Claude won't know what actually failed.

Fix — capture the output in a step output or env var first, then reference it:

- name: Capture outputs
  id: outputs
  if: steps.build.outcome == 'failure' || steps.lint.outcome == 'failure'
  run: |
    BUILD_OUT=$(cat /tmp/build-output.txt 2>/dev/null || echo "Build succeeded")
    LINT_OUT=$(cat /tmp/lint-output.txt 2>/dev/null || echo "Lint succeeded")
    # Use a delimiter to handle multi-line content safely
    echo "build_output<<ENDOFOUTPUT" >> "$GITHUB_OUTPUT"
    echo "$BUILD_OUT" >> "$GITHUB_OUTPUT"
    echo "ENDOFOUTPUT" >> "$GITHUB_OUTPUT"
    echo "lint_output<<ENDOFOUTPUT" >> "$GITHUB_OUTPUT"
    echo "$LINT_OUT" >> "$GITHUB_OUTPUT"
    echo "ENDOFOUTPUT" >> "$GITHUB_OUTPUT"

Then in direct_prompt: ${{ steps.outputs.outputs.build_output }}

Bug 2 — Pipe swallows exit code; build/lint failures go undetected (high)

Lines 63 and 69:

pnpm run build 2>&1 | tee /tmp/build-output.txt
pnpm exec eslint . 2>&1 | tee /tmp/lint-output.txt

In a pipe, the step's exit code is the exit code of the last command — tee — not of pnpm. If pnpm run build exits with code 1 but tee succeeds, the step exits 0 and steps.build.outcome is 'success'. The Claude fix step's condition (steps.build.outcome == 'failure') will never be true.

Fix:

run: |
  set -o pipefail
  pnpm run build 2>&1 | tee /tmp/build-output.txt

Same fix needed for the lint step.

Minor — anthropics/claude-code-action@v1 not pinned to a commit SHA

This workflow uses pull_request_target (runs with secrets access) plus contents: write + pull-requests: write. Using a mutable tag (@v1) for a third-party action in this security context means a compromised tag update could run with write access to the repo. Pinning to a commit SHA (e.g., anthropics/claude-code-action@abc1234) prevents this. This is consistent with how actions/checkout and others should also be pinned, but the blast radius here is higher due to the write permissions.

This is also true in claude-review.yml and pr-overview.yml, but that's out of scope for this PR.

The rest of the changes (job rename, permission upgrade to pull-requests: write, timeout increase, GITHUB_OUTPUT for lockfile tracking) are all correct and necessary.