Skip to content

ci(docs): Switch agentic workflows from Copilot to Claude engine

@sentry/warden / warden: find-bugs completed Mar 12, 2026 in 5m 27s

1 issue

find-bugs: Found 1 issue (1 medium)

Medium

Claude Code CLI installed with @latest tag creates supply chain risk - `.github/workflows/docs-codebase-update.lock.yml:297`

The workflow installs @anthropic-ai/claude-code@latest via npm without a pinned version. This means each workflow run may use a different CLI version, creating non-deterministic behavior and potential supply chain attack surface if a malicious version is published. Other dependencies in this workflow (e.g., actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f) use pinned commit SHAs.

Duration: 5m 24s · Tokens: 2.5M in / 23.3k out · Cost: $9.43 (+extraction: $0.00, +fix_gate: $0.00)

Annotations

Check warning on line 297 in .github/workflows/docs-codebase-update.lock.yml

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: find-bugs

Claude Code CLI installed with @latest tag creates supply chain risk 

The workflow installs `@anthropic-ai/claude-code@latest` via npm without a pinned version. This means each workflow run may use a different CLI version, creating non-deterministic behavior and potential supply chain attack surface if a malicious version is published. Other dependencies in this workflow (e.g., `actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f`) use pinned commit SHAs.
View more details on @sentry/warden