Add claude GitHub actions#462
Conversation
PR Summary by QodoAdd Claude GitHub Actions for PR reviews and @claude requests
AI Description
Diagram
High-Level Assessment
Files changed (2)
|
Code Review by Qodo
1. Secret exposed to commenters
|
| if: | | ||
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | ||
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| pull-requests: read | ||
| issues: read | ||
| id-token: write | ||
| actions: read # Required for Claude to read CI results on PRs | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 1 | ||
|
|
||
| - name: Run Claude Code | ||
| id: claude | ||
| uses: anthropics/claude-code-action@v1 | ||
| with: | ||
| claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} |
There was a problem hiding this comment.
1. Secret exposed to commenters 🐞 Bug ⛨ Security
.github/workflows/claude.yml runs on issues and comment-based events whenever text contains @claude and passes secrets.CLAUDE_CODE_OAUTH_TOKEN into a third-party action, so any user who can open/comment can trigger secret-backed execution. This enables unauthorized token consumption and increases risk of prompt-injection-driven abuse of the action.
Agent Prompt
### Issue description
The `claude` workflow is triggered by user-generated events (issues/comments/reviews) and only checks for the substring `@claude`, then injects `secrets.CLAUDE_CODE_OAUTH_TOKEN` into `anthropics/claude-code-action`. This allows any actor who can open an issue or add a comment in this repo to invoke a secret-backed workflow.
### Issue Context
This is a trust-boundary problem: the workflow grants a privileged capability (using an OAuth token) based solely on user-controlled text. It should be restricted to trusted actors (e.g., members/collaborators) or require explicit approval.
### Fix Focus Areas
- .github/workflows/claude.yml[3-41]
### Suggested remediation
- Add an author trust gate to the job `if:` (or a separate early step) such as:
- `github.event.comment.author_association` / `github.event.issue.author_association` in `{OWNER,MEMBER,COLLABORATOR}`
- or restrict to `github.actor` in an allowlist
- Consider moving invocation behind `workflow_dispatch` and require a protected `environment` with reviewers.
- If you must allow public triggers, do **not** pass long-lived secrets; use short-lived tokens or a broker service with strict policy.
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
| permissions: | ||
| contents: read | ||
| pull-requests: read | ||
| issues: read | ||
| id-token: write | ||
|
|
There was a problem hiding this comment.
2. Unneeded oidc permission 🐞 Bug ⛨ Security
Both workflows request id-token: write but no step in either workflow uses OIDC, so this unnecessarily allows minting GitHub OIDC tokens. This expands the blast radius if a step/action is compromised now or in the future.
Agent Prompt
### Issue description
The workflows request `permissions: id-token: write` even though there are no OIDC consumers (no cloud login step, no explicit OIDC token usage). This violates least privilege and increases risk if any action is compromised.
### Issue Context
`id-token: write` enables OIDC token minting. Unless a step explicitly needs OIDC federation, it should be omitted.
### Fix Focus Areas
- .github/workflows/claude.yml[21-26]
- .github/workflows/claude-code-review.yml[22-27]
### Suggested remediation
- Remove `id-token: write` from both workflows (or set it to `none`).
- If OIDC is needed later, add it back narrowly and document which step requires it.
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
| uses: anthropics/claude-code-action@v1 | ||
| with: | ||
| claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | ||
| plugin_marketplaces: 'https://github.com/anthropics/claude-code.git' | ||
| plugins: 'code-review@claude-code-plugins' | ||
| prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}' |
There was a problem hiding this comment.
3. Unpinned external plugins 🐞 Bug ⛨ Security
.github/workflows/claude-code-review.yml fetches plugin code from an external GitHub repository and references a plugin without pinning to an immutable version/commit, so CI behavior can change without review. This creates a supply-chain and reproducibility risk for PR checks.
Agent Prompt
### Issue description
The code-review workflow loads Claude plugins from an external repository (`plugin_marketplaces`) and selects a plugin by name (`plugins`) without pinning to an immutable ref. This allows remote changes to alter workflow behavior without a PR in this repo.
### Issue Context
This is a CI supply-chain integrity issue: results may change over time, and a compromise in the plugin source could impact your workflow.
### Fix Focus Areas
- .github/workflows/claude-code-review.yml[34-41]
### Suggested remediation
- Prefer vendoring the plugin code in-repo, or pin the plugin source to a specific commit SHA/tag if the action supports it.
- Pin `anthropics/claude-code-action` (and ideally `actions/checkout`) to a commit SHA instead of a moving tag to reduce supply-chain risk.
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Enable claude