ci: gate optional Claude and security-scan jobs behind repository variables

[d-cs]

Summary

Add per-job if: gates so deployments that don't want — or can't run — these jobs can switch them off via repository variables, without editing workflows.

• ENABLE_CLAUDE_CODE gates the Claude jobs: interactive @claude, the CLAUDE.md audit, and the REVIEW.md drift audit.
• ENABLE_WORKFLOW_SECURITY_SCAN gates the Zizmor job, which uploads SARIF and so needs GitHub code scanning enabled.

Both default to enabled: a job runs unless its variable is explicitly set to 'false', so behaviour is unchanged anywhere the variables are unset. The sibling actionlint job and the report-only Trivy scan are untouched.

Test plan

• actionlint clean on the four edited workflows
• YAML parses for all four files

[changeset-bot]

⚠️ No Changeset found

Latest commit: d2696fd

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: a18e8118-9c80-480d-8ebf-db5c82c118c7

📥 Commits

Reviewing files that changed from the base of the PR and between 1c7e64a and d2696fd.

📒 Files selected for processing (4)

• .github/workflows/check-review-md.yml
• .github/workflows/claude-md-audit.yml
• .github/workflows/claude.yml
• .github/workflows/workflow-checks.yml

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (javascript-typescript)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2026-05-12T14:34:38.795Z

Learnt from: ericallam
Repo: triggerdotdev/trigger.dev PR: 3561
File: .github/workflows/check-review-md.yml:3-10
Timestamp: 2026-05-12T14:34:38.795Z
Learning: In this repo’s `.github/workflows/check-review-md.yml`, the workflow is intentionally configured to run on *all* `pull_request` events (e.g., `opened`, `ready_for_review`, `synchronize`) and not only when `.claude/REVIEW.md` changes. The Claude Code audit compares each PR’s diff against `REVIEW.md` to detect contradictions and new undocumented patterns, so restricting the trigger to paths limited to `.claude/REVIEW.md` would undermine that coverage. Do not suggest narrowing the `pull_request` trigger to only REVIEW.md-related path changes.

Applied to files:

• .github/workflows/check-review-md.yml

🔇 Additional comments (4)

.github/workflows/check-review-md.yml (1)

17-23: LGTM!

.github/workflows/claude-md-audit.yml (1)

18-23: LGTM!

.github/workflows/claude.yml (1)

15-24: LGTM!

.github/workflows/workflow-checks.yml (1)

39-43: LGTM!

---

Walkthrough

This PR adds repository variable guards to control the execution of GitHub Actions workflow jobs. The ENABLE_CLAUDE_CODE variable is added to three Claude Code-related workflows (check-review-md.yml, claude-md-audit.yml, and claude.yml) to skip those jobs when the variable is set to 'false'. A separate ENABLE_WORKFLOW_SECURITY_SCAN variable is added to the zizmor job in workflow-checks.yml for the same purpose. All guards follow the same pattern: jobs run by default unless the variable is explicitly set to 'false'.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description provides a comprehensive summary, test plan, and technical details, but does not follow the required template structure with sections like Checklist, Testing, Changelog, and Screenshots.	Restructure the description to follow the repository's template: include the checklist, Testing section, and Changelog section in the required format.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding conditional gates for optional CI jobs using repository variables.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci-gate-optional-jobs-via-repo-vars

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.