[Tooling] Secure Claude workflows#5512
Conversation
Generated by 🚫 Danger |
d3ff555 to
6035d91
Compare
…gger, pin SHAs, drop id-token Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
6035d91 to
b5f7c35
Compare
There was a problem hiding this comment.
Pull request overview
This PR hardens the repository’s Claude GitHub Actions workflows to reduce the risk of secret exposure and unintended execution, especially for fork-based PR events that run with base-repo permissions.
Changes:
- Adds a trusted-author gate and a PR-origin check to skip running Claude on fork PRs for comment/review-triggered events.
- Pins third-party actions (
actions/checkout,anthropics/claude-code-action) to commit SHAs. - Removes the unused
id-token: writepermission from both workflows.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .github/workflows/claude.yml | Adds trusted-author gating + fork-PR suppression via PR-origin check; pins actions; removes id-token. |
| .github/workflows/claude-code-review.yml | Pins actions to SHAs and removes id-token permission. |
5b5211e to
850c634
Compare
|
@claude review |
|
Claude finished @iangmaia's task in 1m 41s —— View job Claude Code Review
Nice hardening pass — the layering here is solid: ✅ What's done well
🔎 Notes / optional
VerdictLooks good to merge. The two workflow-modification restrictions on my side mean I can't push edits here anyway, but the design is sound and I don't see a security gap. Items 1–3 are optional/confirmatory. |
Security improvements for the Claude workflows:
claude.yml: skips fork PRs via aCheck PR originstep that queries the PR head repo and only runs Claude for same-repo PRs. Closes indirect prompt injection via fork content onissue_comment/pull_request_review(_comment) events, which run with base-repo secrets.claude.yml: adds a trusted-author check and drops theissues: openedtrigger. Tools are left at the action's defaults (edits viaacceptEdits, arbitrary Bash blocked) instead of a custom allowlist.