chore: [SDK-4532] remove unused Asana, Claude, and Unity activation workflows#868
Conversation
Removes the Asana sync workflows (asana-add-comment, asana-create-task, asana-update-issue) and the Claude workflows (claude, claude-code-review). The Asana update workflow contained a script-injection vulnerability via issue title interpolated into a shell `run:` block (SDK-4532). Rather than patch it, dropping these workflows since they are no longer needed. Co-authored-by: Cursor <cursoragent@cursor.com>
The activation.yml workflow generates a Unity license activation request file (.alf), but no other workflow in this repo uses a Unity license (ci.yml only runs csharpier; cd.yml only publishes npm packages). It is also a manual workflow_dispatch and the underlying actions/upload-artifact@v2 is deprecated. Co-authored-by: Cursor <cursoragent@cursor.com>
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — pure deletion of unused workflow files; removing the vulnerable asana-update-issue.yml is a clean fix for SDK-4532, and the other removals (asana-, claude, activation.yml, .cursor/rules/pr-conventions.mdc) have no runtime impact on ci.yml/cd.yml.
Extended reasoning...
Overview
This PR is a pure-deletion change touching 6 GitHub workflow files under .github/workflows/ (asana-add-comment.yml, asana-create-task.yml, asana-update-issue.yml, claude.yml, claude-code-review.yml, activation.yml) and one Cursor rule file (.cursor/rules/pr-conventions.mdc). No source code, build configuration, tests, or release behavior is modified. The remaining ci.yml (csharpier) and cd.yml (npm publish) workflows are untouched.
Security risks
Net-positive for security. The primary motivation is SDK-4532: asana-update-issue.yml interpolated user-controllable GitHub event fields (github.event.issue.title, github.event.label.name, github.event.milestone.title, github.event.changes.title.from, etc.) directly into shell run: blocks via ${{ }}, which is a well-known script-injection vector. Removing the file eliminates the vulnerability entirely rather than patching it. No new attack surface is introduced. Removing the Claude workflows reduces the number of pipelines that hold elevated tokens.
Level of scrutiny
Low. This is a mechanical deletion of unused CI/tooling files with a clearly stated rationale. There is no logic to reason about, no API surface change, and no risk to consumers of the SDK. The only risk would be that a removed workflow is still relied upon — but the PR description explicitly confirms these are not used, and a quick sanity check of the changed-files set shows no inbound references could survive (each workflow is self-contained and triggered by GitHub events, not invoked by other workflows).
Other factors
The PR is small, self-contained, and well-described with a linked Linear ticket. No bugs were flagged by the bug hunting system. The cursor rule deletion is noted as already folded into root rules. Overall this is exactly the kind of low-risk security-hardening cleanup that is safe to shadow-approve.
3 participants
Description
One Line Summary
Removes unused Asana sync, Claude, and Unity activation GitHub workflows.
Details
Motivation
These workflows are no longer in use in this repo. The Asana sync workflows were also flagged in SDK-4532 for a CI hardening concern, so dropping them rather than maintaining them.
activation.ymlgenerates a Unity license activation file but nothing else in CI consumes a Unity license (ci.ymlruns csharpier,cd.ymlpublishes npm packages).Scope
.github/workflows/:asana-add-comment.ymlasana-create-task.ymlasana-update-issue.ymlclaude.ymlclaude-code-review.ymlactivation.yml.cursor/rules/pr-conventions.mdc(folded into root rules already).Testing
Manual testing
N/A, workflow file removals only. Existing
ci.yml(csharpier) andcd.yml(npm publish) are untouched.Affected code checklist
Checklist
Overview
Testing
Final pass