Skip to content

Fix security and permissions in Claude workflow files#2

Merged
zircote merged 2 commits intomainfrom
copilot/sub-pr-1
Feb 6, 2026
Merged

Fix security and permissions in Claude workflow files#2
zircote merged 2 commits intomainfrom
copilot/sub-pr-1

Conversation

Copy link
Contributor

Copilot AI commented Jan 30, 2026
edited by zircote
Loading

Summary

Adds author association security checks to the Claude Code workflow (claude.yml):

  • Author trust check: Restricts @claude triggers to OWNER, MEMBER, or COLLABORATOR only
  • Write permissions: Changed contents, pull-requests, issues from read to write to enable stated functionality
  • Style: Added YAML document header, quoted on key, yamllint compliance

The claude-code-review.yml security fixes (fork guard, write permissions) were applied directly to main in commit 8d87d3b to unblock OIDC validation for this PR.

Copilot AI mentioned this pull request Jan 30, 2026
Merged
Copilot AI changed the title [WIP] Add Claude Code GitHub workflow Fix security and permissions in Claude workflow files Jan 30, 2026
Copilot AI requested a review from zircote January 30, 2026 04:01
@zircote zircote marked this pull request as ready for review February 6, 2026 21:48
Copilot AI review requested due to automatic review settings February 6, 2026 21:48
Copilot AI reviewed Feb 6, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Claude-related GitHub Actions workflows to reduce unauthorized triggering risk and adjust token permissions to match intended functionality when interacting with PRs/issues.

Changes:

  • Added author_association gating so @claude triggers only run for OWNER, MEMBER, or COLLABORATOR.
  • Added a non-fork guard to the PR code-review workflow to avoid running when secrets wouldn’t be available.
  • Updated workflow formatting/style to align with existing repository workflow conventions (--- + quoted "on"), and adjusted permissions to write where needed.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.github/workflows/claude.yml Adds association-based trigger restrictions and updates job token permissions for Claude’s repo interactions.
.github/workflows/claude-code-review.yml Adds fork guard and updates PR permissions to allow the workflow to post/update PR review output.

Copilot AI and others added 2 commits February 6, 2026 16:55
@zircote
Initial plan
73b1364
@zircote
Address security and workflow review feedback
1f9f340 
- Add author trust check to claude.yml (OWNER/MEMBER/COLLABORATOR only)
- Update permissions to write for contents, PRs, and issues in claude.yml
- Add YAML document header and quote 'on' key for consistency
- Add fork guard to claude-code-review.yml to skip when secrets unavailable
- Update permissions to write for pull-requests in claude-code-review.yml

Co-authored-by: zircote <307960+zircote@users.noreply.github.com>
@zircote zircote changed the base branch from add-claude-github-actions-1769740011136 to main February 6, 2026 21:57
@claude
Copy link

claude bot commented Feb 6, 2026

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

@zircote zircote merged commit 5090e62 into main Feb 6, 2026
2 checks passed
@zircote zircote deleted the copilot/sub-pr-1 branch February 6, 2026 22:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@zircote zircote Awaiting requested review from zircote

Assignees

@zircote zircote

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zircote