getsentry · nicohrubec · Feb 17, 2026 · Feb 17, 2026 · Feb 17, 2026 · Feb 18, 2026
diff --git a/.github/workflows/fix-security-vulnerability.yml b/.github/workflows/fix-security-vulnerability.yml
@@ -0,0 +1,49 @@
+name: Fix Security Vulnerability
+
+on:
+  dependabot_alert:
+    types: [created]
+  workflow_dispatch:
+    inputs:
+      alert:
+        description:
+          'Dependabot alert number or URL (e.g. 1046 or
+          https://github.com/getsentry/sentry-javascript/security/dependabot/1046)'
+        required: true
+
+concurrency:
+  group: fix-security-vuln-${{ github.event.alert.number || github.event.inputs.alert }}
+  cancel-in-progress: false
+
+jobs:
+  fix-vulnerability:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      security-events: read
+      issues: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: develop
+
+      - uses: anthropics/claude-code-action@v1
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          prompt: |
+            /fix-security-vulnerability ${{ github.event.alert.number || github.event.inputs.alert }}
+
+            IMPORTANT: Do NOT dismiss any alerts. Do NOT wait for approval.
+
+            If you can fix the vulnerability:
+              Create a branch, apply the fix, and open a PR with your analysis
+              in the PR description. Target the develop branch.
+
+            If you determine the alert should NOT be fixed:
+              Do NOT dismiss the alert. Instead, open a GitHub issue with:
+              - Title: "Security: Dismiss Dependabot alert #<number> - <package-name>"
+              - Label: "Security"
+              - Body: Include the full vulnerability details, your analysis,
+                the recommended dismissal reason, and why the alert cannot/should not be fixed.
+          claude_args: '--max-turns 20'