Restrict Claude Step Summary output to debug runs

[danielorbach]

PR #22 unconditionally enabled display_report on the Claude review steps so the workflow summary would always render Claude's analysis. This is verbose for routine Dependabot runs and, per the upstream warning on the input, should be reserved for trusted-input contexts.

The Step Summary is now gated on runner.debug, making it available when a workflow is re-run with debug logging enabled but silent otherwise. The workflow header also gains a comment explaining why the prompt injection threat model that motivated upstream's default-off change does not apply here: the review job's actor gate restricts execution to the dependabot[bot] actor, a trusted first-party automation source.

Relates to #6

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

The PR modifies the GitHub Actions workflow to add a prompt-injection mitigation comment and makes the display_report setting conditional on runner debug mode instead of always enabled. This affects how the Claude review reports are displayed in both minor and major update jobs.

Changes

Cohort / File(s)	Summary
Workflow Configuration .github/workflows/claudependabot.yml	Added prompt-injection mitigation comment block. Changed display_report from true to ${{ runner.debug == '1' }} in both minor and major update review jobs to conditionally enable report display based on debug mode.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Possibly related PRs

• Review Dependabot minor and major updates with Claude Code #19: Introduces the claudependabot workflow file with the display_report configuration that is now being conditionally controlled.
• Fix Claude review steps in ClauDependabot workflow #22: Also modifies the Claude review steps and display_report setting in the same workflow file.

Suggested reviewers

• galactic-king

Poem

🐰 A workflow refined, with guards in place,
Reports now dance at debug's pace—
Security whispers, conditions flow free,
Safer automation, as it should be! 🛡️✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Restrict Claude Step Summary output to debug runs' directly summarizes the main change: gating the Step Summary display on debug mode rather than unconditionally enabling it.
Description check	✅ Passed	The description explains the rationale behind the change, references the related PR #22 and issue #6, and provides context about security considerations and trusted execution contexts.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-claudependabot-output

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[galactic-king]