|
5 | 5 | types: [created] |
6 | 6 | pull_request_review_comment: |
7 | 7 | types: [created] |
8 | | - issues: |
9 | | - types: [opened] |
10 | 8 | pull_request_review: |
11 | 9 | types: [submitted] |
12 | 10 |
|
13 | 11 | jobs: |
14 | 12 | claude: |
| 13 | + # Only run when @claude is mentioned AND the author is a trusted |
| 14 | + # org member/collaborator. This is defense-in-depth on top of the |
| 15 | + # action's built-in write-access check. |
15 | 16 | if: | |
16 | | - (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || |
17 | | - (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || |
18 | | - (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || |
19 | | - (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) |
| 17 | + ( |
| 18 | + (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || |
| 19 | + (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || |
| 20 | + (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) |
| 21 | + ) && |
| 22 | + ( |
| 23 | + github.event.comment.author_association == 'OWNER' || |
| 24 | + github.event.comment.author_association == 'MEMBER' || |
| 25 | + github.event.comment.author_association == 'COLLABORATOR' || |
| 26 | + github.event.review.author_association == 'OWNER' || |
| 27 | + github.event.review.author_association == 'MEMBER' || |
| 28 | + github.event.review.author_association == 'COLLABORATOR' |
| 29 | + ) |
20 | 30 | runs-on: ubuntu-latest |
21 | 31 | permissions: |
22 | | - contents: write |
| 32 | + contents: write # Downgrade to `read` if Claude should not push commits/branches |
23 | 33 | pull-requests: write |
24 | 34 | issues: write |
25 | | - id-token: write |
26 | 35 | actions: read # Required for Claude to read CI results on PRs |
27 | 36 | steps: |
28 | 37 | - name: Checkout repository |
29 | | - uses: actions/checkout@v7 |
| 38 | + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 |
30 | 39 | with: |
31 | 40 | fetch-depth: 1 |
32 | 41 |
|
33 | 42 | - name: Run Claude Code |
34 | 43 | id: claude |
35 | | - uses: anthropics/claude-code-action@v1 |
| 44 | + uses: anthropics/claude-code-action@4d7e1f0cd85743fdc93b1c8040ab54395da024e2 # v1.0.149 |
36 | 45 | with: |
37 | 46 | anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} |
38 | 47 |
|
39 | | - # This is an optional setting that allows Claude to read CI results on PRs |
| 48 | + # Allows Claude to read CI results on PRs |
40 | 49 | additional_permissions: | |
41 | 50 | actions: read |
42 | 51 |
|
43 | | - # Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it. |
44 | | - # prompt: 'Update the pull request description to include a summary of changes.' |
45 | | - |
46 | | - # Optional: Add claude_args to customize behavior and configuration |
47 | | - # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md |
48 | | - # or https://code.claude.com/docs/en/cli-reference for available options |
49 | | - # claude_args: '--allowed-tools Bash(gh pr *)' |
50 | | - |
| 52 | + # Tools are intentionally left at the action's tag-mode defaults: file edits |
| 53 | + # are confined to the workspace (acceptEdits) and arbitrary Bash is blocked. |
| 54 | + # Do NOT add Edit/Write to a custom --allowedTools — the action omits them on |
| 55 | + # purpose; listing them grants blanket write access to the whole runner. |
0 commit comments