chore: update Claude code review wf

[ymc9]

Summary by CodeRabbit

• Chores
  • Updated internal GitHub Actions workflow configuration.

Note: This release contains no user-facing changes. The update addresses internal development infrastructure and does not impact your experience with the application.

[coderabbitai]

📝 Walkthrough

Walkthrough

A GitHub Actions workflow trigger is modified from pull_request to pull_request_target in the Claude code review workflow configuration, changing which event type initiates the automated job execution.

Changes

Cohort / File(s)	Summary
Workflow Configuration .github/workflows/claude-code-review.yml	Modified workflow trigger event from pull_request to pull_request_target, altering when the code review job is initiated.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A trigger so small, yet so mighty and true,
From pull_request we hop to pull_request_target's view,
The workflow now listens with ears standing tall,
One line changed—but it changes it all! 🐇✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'chore: update Claude code review wf' is vague and uses an abbreviation ('wf') that doesn't clearly convey what was actually changed. The specific change (pull_request → pull_request_target trigger) is not apparent from the title.	Consider a more specific title like 'chore: update Claude code review workflow trigger' or 'chore: change Claude review workflow to use pull_request_target' to clarify the actual change.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/claude-review-ci

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/claude-code-review.yml:
- Line 4: The workflow uses pull_request_target which, combined with
actions/checkout without a ref and the CLAUDE_CODE_OAUTH_TOKEN plus
pull-requests: write permission, allows untrusted PR code to run with repo
secrets; either change the event from pull_request_target to pull_request, or if
pull_request_target is required: modify the checkout step in the workflow to
check out the base SHA only (set the ref to the base commit and add
persist-credentials: false), pin any third-party action usages (replace mutable
tags like `@beta` with commit SHAs), and tighten GITHUB_TOKEN permissions (remove
or reduce pull-requests: write) to eliminate the secret exfiltration path.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 82fada63-05c1-4298-a807-1136bd56783c

📥 Commits

Reviewing files that changed from the base of the PR and between 87a9f7f and ffded40.

📒 Files selected for processing (1)

• .github/workflows/claude-code-review.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/claude-code-review.yml

Repository: zenstackhq/zenstack

Length of output: 3984

---

🌐 Web query:

GitHub Actions pull_request_target security risks forked pull requests secrets write permissions

💡 Result:

Why pull_request_target is risky with forked PRs

• It runs with the base repository trust/permissions, not the fork’s. That means the workflow can get repository secrets (and can also access “trusted” secret stores in cases where pull_request would be blocked). (docs.github.com)
• If your workflow checks out and executes PR code (e.g., actions/checkout at github.event.pull_request.head.sha or otherwise runs code from the fork), you can end up running attacker-controlled code with secrets available, enabling secret exfiltration (“pwn request”) and follow-on compromise. (securitylab.github.com)
• The built-in GITHUB_TOKEN may have write capabilities unless you explicitly restrict it, so a compromised run can potentially push commits/tags, open/modify PRs, create releases, edit issues, etc. (depending on granted permissions). (synacktiv.com)

The common “fork PR + secrets + write” failure mode

1. Attacker opens a PR from a fork.
2. A pull_request_target workflow triggers (base repo context).
3. The workflow fetches/runs the PR’s code (tests/build scripts, custom actions from the PR, etc.).
4. The PR code prints/exfiltrates secrets or uses a write-capable GITHUB_TOKEN to persist changes (e.g., push to the repo, poison artifacts). (securitylab.github.com)

Key mitigations (safe patterns)

• Prefer pull_request for CI on code from forks (GitHub’s default safety model: no secrets + read-only token). (github.blog)
• If you must use pull_request_target (e.g., to comment/label):
  • Do not check out / run PR code in that workflow. (docs.github.com)
  • Set explicit minimal permissions: for GITHUB_TOKEN (avoid broad write). (github.blog)
  • Gate any privileged behavior behind maintainer approval/labels and keep the privileged job operating only on trusted refs. (securitylab.github.com)

Recent platform change to be aware of

• GitHub announced changes (Nov 7, 2025) to reduce edge cases by ensuring the default branch is the workflow source for pull_request_target-related evaluation, but GitHub still emphasizes that using pull_request_target with fork PRs remains inherently higher risk because it executes based on user-supplied PRs and can access secrets. (github.blog)

Citations:

• 1: https://docs.github.com/en/enterprise-server%40latest/actions/security-guides/security-hardening-for-github-actions?utm_source=openai
• 2: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/?utm_source=openai
• 3: https://www.synacktiv.com/publications/github-actions-exploitation-introduction?utm_source=openai
• 4: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/?utm_source=openai
• 5: https://github.blog/security/supply-chain-security/four-tips-to-keep-your-github-actions-workflows-secure/?utm_source=openai
• 6: https://docs.github.com/en/enterprise-server%40latest/actions/security-guides/security-hardening-for-github-actions?utm_source=openai
• 7: https://github.blog/security/vulnerability-research/how-to-catch-github-actions-workflow-injections-before-attackers-do/?utm_source=openai
• 8: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/?utm_source=openai
• 9: https://github.blog/changelog/2025-11-07-actions-pull_request_target-and-environment-branch-protections-changes?utm_source=openai

---

pull_request_target with untrusted PR checkout creates secret exfiltration risk

Line 4 enables pull_request_target, which runs this workflow with base-repository secrets and permissions. However, the actions/checkout@v4 call (lines 30–32) does not specify a ref, causing it to check out the PR's head code (attacker-controlled). Combined with the available CLAUDE_CODE_OAUTH_TOKEN secret and pull-requests: write permission, this creates a direct path for secret exfiltration: a malicious PR could extract the token or abuse the write scope during the action's execution.

Either switch to pull_request (revokes secrets, read-only token) or apply all three mitigations if pull_request_target is mandatory:

1. Checkout base SHA only with persist-credentials: false to prevent untrusted code execution with secrets in scope.
2. Pin the third-party action by commit SHA instead of the @beta tag.
3. Restrict GITHUB_TOKEN permissions further if possible.

Hardening diff

             - name: Checkout repository
               uses: actions/checkout@v4
               with:
+                  ref: ${{ github.event.pull_request.base.sha }}
                   fetch-depth: 1
+                  persist-credentials: false

             - name: Run Claude Code Review
               id: claude-review
-              uses: anthropics/claude-code-action@beta
+              uses: anthropics/claude-code-action@<commit-sha>
               with:
                   claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude-code-review.yml at line 4, The workflow uses
pull_request_target which, combined with actions/checkout without a ref and the
CLAUDE_CODE_OAUTH_TOKEN plus pull-requests: write permission, allows untrusted
PR code to run with repo secrets; either change the event from
pull_request_target to pull_request, or if pull_request_target is required:
modify the checkout step in the workflow to check out the base SHA only (set the
ref to the base commit and add persist-credentials: false), pin any third-party
action usages (replace mutable tags like `@beta` with commit SHAs), and tighten
GITHUB_TOKEN permissions (remove or reduce pull-requests: write) to eliminate
the secret exfiltration path.