ci: gate optional Claude and security-scan jobs behind repository variables (#3901)

d-cs · web-flow · commit f073d8708ae5 · 2026-06-15T11:49:51.000+01:00
## Summary

Add per-job `if:` gates so deployments that don't want — or can't run —
these jobs can switch them off via repository variables, without editing
workflows.

- `ENABLE_CLAUDE_CODE` gates the Claude jobs: interactive `@claude`, the
CLAUDE.md audit, and the REVIEW.md drift audit.
- `ENABLE_WORKFLOW_SECURITY_SCAN` gates the Zizmor job, which uploads
SARIF and so needs GitHub code scanning enabled.

Both default to **enabled**: a job runs unless its variable is
explicitly set to `'false'`, so behaviour is unchanged anywhere the
variables are unset. The sibling `actionlint` job and the report-only
Trivy scan are untouched.

## Test plan

- [x] `actionlint` clean on the four edited workflows
- [x] YAML parses for all four files
diff --git a/.github/workflows/check-review-md.yml b/.github/workflows/check-review-md.yml
@@ -14,7 +14,10 @@ concurrency:
 
 jobs:
   audit:
+    # Set the ENABLE_CLAUDE_CODE repository variable to 'false' to turn off Claude
+    # jobs; leave it unset (the default) to keep them enabled.
     if: >-
+      vars.ENABLE_CLAUDE_CODE != 'false' &&
       github.event.pull_request.draft == false &&
       github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
diff --git a/.github/workflows/claude-md-audit.yml b/.github/workflows/claude-md-audit.yml
@@ -15,7 +15,10 @@ concurrency:
 
 jobs:
   audit:
+    # Set the ENABLE_CLAUDE_CODE repository variable to 'false' to turn off Claude
+    # jobs; leave it unset (the default) to keep them enabled.
     if: >-
+      vars.ENABLE_CLAUDE_CODE != 'false' &&
       github.event.pull_request.draft == false &&
       github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
@@ -12,11 +12,16 @@ on:
 
 jobs:
   claude:
+    # Set the ENABLE_CLAUDE_CODE repository variable to 'false' to turn off Claude
+    # jobs; leave it unset (the default) to keep them enabled.
     if: |
-      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
-      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+      vars.ENABLE_CLAUDE_CODE != 'false' &&
+      (
+        (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
+        (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
+        (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
+        (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+      )
     runs-on: ubuntu-latest
     permissions:
       contents: write
diff --git a/.github/workflows/workflow-checks.yml b/.github/workflows/workflow-checks.yml
@@ -36,6 +36,11 @@ jobs:
 
   zizmor:
     name: Zizmor
+    # Uploads SARIF to the Security tab, which requires GitHub code scanning to be
+    # enabled on the repository. Set the ENABLE_WORKFLOW_SECURITY_SCAN repository
+    # variable to 'false' to skip this job where code scanning isn't available;
+    # leave it unset (the default) to run the scan.
+    if: ${{ vars.ENABLE_WORKFLOW_SECURITY_SCAN != 'false' }}
     runs-on: ubuntu-latest
     permissions:
       security-events: write # Upload SARIF to GitHub Security tab
