Skip to content

[Tooling] Secure Claude workflows#5512

Open
iangmaia wants to merge 5 commits into
mainfrom
iangmaia/secure-claude-workflows
Open

[Tooling] Secure Claude workflows#5512
iangmaia wants to merge 5 commits into
mainfrom
iangmaia/secure-claude-workflows

Conversation

@iangmaia

@iangmaia iangmaia commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Security improvements for the Claude workflows:

  • claude.yml: skips fork PRs via a Check PR origin step that queries the PR head repo and only runs Claude for same-repo PRs. Closes indirect prompt injection via fork content on issue_comment/pull_request_review(_comment) events, which run with base-repo secrets.
  • claude.yml: adds a trusted-author check and drops the issues: opened trigger. Tools are left at the action's defaults (edits via acceptEdits, arbitrary Bash blocked) instead of a custom allowlist.
  • Both workflows: pins actions to commit SHAs and preserves the Claude action's required OIDC permission for GitHub App token exchange.

@dangermattic

dangermattic commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator
1 Warning
⚠️ PR is not assigned to a milestone.

Generated by 🚫 Danger

@iangmaia iangmaia force-pushed the iangmaia/secure-claude-workflows branch from d3ff555 to 6035d91 Compare July 1, 2026 14:38
…gger, pin SHAs, drop id-token

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@iangmaia iangmaia force-pushed the iangmaia/secure-claude-workflows branch from 6035d91 to b5f7c35 Compare July 1, 2026 15:05
@iangmaia iangmaia changed the title Secure the Claude workflows [Tooling] Secure Claude workflows Jul 1, 2026
@iangmaia iangmaia self-assigned this Jul 1, 2026
@iangmaia iangmaia added [Type] Tooling Related to the Gradle build scripts and the setup or maintenance of the project build process. [Area] Tooling labels Jul 1, 2026
@iangmaia iangmaia requested a review from Copilot July 1, 2026 19:06

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the repository’s Claude GitHub Actions workflows to reduce the risk of secret exposure and unintended execution, especially for fork-based PR events that run with base-repo permissions.

Changes:

  • Adds a trusted-author gate and a PR-origin check to skip running Claude on fork PRs for comment/review-triggered events.
  • Pins third-party actions (actions/checkout, anthropics/claude-code-action) to commit SHAs.
  • Removes the unused id-token: write permission from both workflows.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/claude.yml Adds trusted-author gating + fork-PR suppression via PR-origin check; pins actions; removes id-token.
.github/workflows/claude-code-review.yml Pins actions to SHAs and removes id-token permission.

Comment thread .github/workflows/claude.yml Outdated
@iangmaia iangmaia force-pushed the iangmaia/secure-claude-workflows branch from 5b5211e to 850c634 Compare July 2, 2026 10:11
@iangmaia iangmaia requested a review from Copilot July 2, 2026 10:55

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

Comment thread .github/workflows/claude.yml Outdated
Comment thread .github/workflows/claude-code-review.yml
@iangmaia

iangmaia commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

@claude review

@claude

claude Bot commented Jul 3, 2026

Copy link
Copy Markdown

Claude finished @iangmaia's task in 1m 41s —— View job


Claude Code Review

  • Gather context (read both workflow files, diff, prior review threads)
  • Review claude.yml security changes
  • Review claude-code-review.yml security changes
  • Post review

Nice hardening pass — the layering here is solid: pull_request (not pull_request_target) + same-repo if gate + trusted-author gate + a runtime fork-origin check + SHA-pinned actions. Below are findings, none blocking.

✅ What's done well

  • Core injection vector is closed correctly. pull_request_review, pull_request_review_comment, and issue_comment all run in the base repo context with secrets even for fork PRs — that's precisely the indirect-prompt-injection risk. The Check PR origin step queries the live PR head repo and gates both the checkout and the Run Claude Code steps on is_internal == 'true', so no untrusted fork content reaches Claude before the check. Because the check hits the GitHub API, the head repo can't be spoofed from PR content. 👍
  • Fail-closed error handling. If gh api fails (or returns an empty/null head.repo.full_name, e.g. a deleted fork), is_internal=false and Claude is skipped. Good default.
  • persist-credentials: false on the review workflow's checkout is a good touch.
  • Defense-in-depth on authorship — the OWNER/MEMBER/COLLABORATOR gate sits on top of the action's built-in write-access check, and the contains(github.event.review.body || '', '@claude') null-coalesce (from 4f38a96) is correct since review bodies can be empty on approvals.

🔎 Notes / optional

  1. Redundant API call for review events (optional simplification). pull_request_review and pull_request_review_comment payloads already include github.event.pull_request.head.repo.full_name, so the origin check could read it directly without a gh api round-trip (avoiding a rate-limit dependency). The API call is only strictly required for issue_comment, which doesn't carry the head repo. The current uniform approach is correct and robust — just noting the events differ.

  2. issue_comment still fires on plain issues. Dropping the issues: [opened] trigger removed auto-runs on new issues, but issue_comment covers both issue and PR comments. On a comment on a regular (non-PR) issue, ISSUE_PULL_REQUEST_URL is empty → is_internal=true → Claude runs (for trusted authors). That's harmless from a fork-injection standpoint (issues have no fork content) and is likely intended, but worth a conscious confirmation that trusted members invoking @claude on issues is desired behavior. If so, issues: write in permissions is correctly retained for that path.

  3. COLLABORATOR breadth. author_association == 'COLLABORATOR' can include outside collaborators with non-push (e.g. triage) access, not just writers. The action's built-in write-access requirement backstops this, so it's not exploitable — just flagging that the association gate alone is broader than "can push."

  4. id-token: write — retained correctly. Confirming the earlier thread: since github_token isn't passed, the action uses the OIDC token to exchange for a GitHub App token via Anthropic's token service, so this permission is required, not vestigial. The Copilot suggestion to drop it would have broken token exchange.

Verdict

Looks good to merge. The two workflow-modification restrictions on my side mean I can't push edits here anyway, but the design is sound and I don't see a security gap. Items 1–3 are optional/confirmatory.
· iangmaia/secure-claude-workflows

@iangmaia iangmaia marked this pull request as ready for review July 3, 2026 13:53
@iangmaia iangmaia requested a review from a team as a code owner July 3, 2026 13:53
@iangmaia iangmaia requested a review from geekygecko July 3, 2026 13:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

[Area] Tooling [Type] Tooling Related to the Gradle build scripts and the setup or maintenance of the project build process.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants