From 6fc297d46ca5397bca8112975d759974cfe6119e Mon Sep 17 00:00:00 2001
From: Daniel Orbach <ddorbach@gmail.com>
Date: Tue, 17 Mar 2026 20:09:28 +0200
Subject: [PATCH 1/2] github: gate Claude Step Summary on debug mode

display_report renders Claude's analysis in the GitHub Step Summary.
Unconditionally enabling it is verbose for routine runs and, per the
upstream warning, should only be used with trusted input.

Gate on runner.debug so the report is still available when re-running
with debug logging enabled.

display_report (not show_full_output) is the correct input here:
show_full_output dumps the full JSON execution log including tool
results that may contain secrets; display_report only renders Claude's
authored summary, which is safe for this workflow's trusted-input
context.
---
 .github/workflows/claudependabot.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/claudependabot.yml b/.github/workflows/claudependabot.yml
index e378b81..7f48acf 100644
--- a/.github/workflows/claudependabot.yml
+++ b/.github/workflows/claudependabot.yml
@@ -73,7 +73,7 @@ jobs:
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
           allowed_bots: dependabot
-          display_report: true
+          display_report: ${{ runner.debug == '1' }}
           prompt: |
             This is a Dependabot PR for a minor version update.
 
@@ -110,7 +110,7 @@ jobs:
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
           allowed_bots: dependabot
-          display_report: true
+          display_report: ${{ runner.debug == '1' }}
           prompt: |
             This is a Dependabot PR for a MAJOR version update.
 

From ec9c6e0411a4284a0de10162f017b13f59348a41 Mon Sep 17 00:00:00 2001
From: Daniel Orbach <ddorbach@gmail.com>
Date: Tue, 17 Mar 2026 20:13:28 +0200
Subject: [PATCH 2/2] github: document prompt injection mitigation in workflow
 header

The actor gate on the review job restricts Claude steps to the
dependabot[bot] actor, mitigating the primary prompt injection vector
(attacker-authored PR/issue content reaching the Claude prompt or Step
Summary). Note that Claude may still fetch external content such as
changelogs during analysis; the actor gate addresses the direct input
surface.
---
 .github/workflows/claudependabot.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/claudependabot.yml b/.github/workflows/claudependabot.yml
index 7f48acf..bc75ef8 100644
--- a/.github/workflows/claudependabot.yml
+++ b/.github/workflows/claudependabot.yml
@@ -16,6 +16,14 @@
 # Squash commits default to using the PR description as body, but Dependabot
 # PRs include lengthy changelogs and compatibility notes. Each step overrides
 # the body to keep commit messages clean.
+#
+# Prompt injection: claude-code-action steps can be susceptible to prompt
+# injection when triggered by untrusted actors (e.g. arbitrary issue
+# commenters). The review job's actor gate restricts execution to the
+# dependabot[bot] actor, which is a trusted first-party automation source.
+# Claude may still fetch external content during analysis (changelogs,
+# release notes), but gating on a trusted actor is considered a sufficient
+# mitigation for the Step Summary rendering surface.
 
 name: "🤖 ClauDependabot"