-
Notifications
You must be signed in to change notification settings - Fork 7
Add Claude Code GitHub Workflow #63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| @@ -1,7 +1,7 @@ | ||||||||||
| name: Claude Code Review | ||||||||||
|
|
||||||||||
| on: | ||||||||||
| pull_request_target: | ||||||||||
| pull_request: | ||||||||||
| types: [opened, synchronize, ready_for_review, reopened] | ||||||||||
| # Optional: Only run on specific file changes | ||||||||||
| # paths: | ||||||||||
|
|
@@ -21,24 +21,24 @@ jobs: | |||||||||
| runs-on: ubuntu-latest | ||||||||||
| permissions: | ||||||||||
| contents: read | ||||||||||
| pull-requests: write | ||||||||||
| issues: write | ||||||||||
| pull-requests: read | ||||||||||
| issues: read | ||||||||||
|
Comment on lines
+24
to
+25
|
||||||||||
| pull-requests: read | |
| issues: read | |
| pull-requests: write | |
| issues: write |
| Original file line number | Diff line number | Diff line change | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -20,8 +20,8 @@ jobs: | |||||||||
| runs-on: ubuntu-latest | ||||||||||
| permissions: | ||||||||||
| contents: read | ||||||||||
| pull-requests: write | ||||||||||
| issues: write | ||||||||||
| pull-requests: read | ||||||||||
| issues: read | ||||||||||
|
Comment on lines
+23
to
+24
|
||||||||||
| pull-requests: read | |
| issues: read | |
| pull-requests: write | |
| issues: write |
Copilot
AI
Mar 12, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The PR description states "Only users with write access to the repository can trigger the workflow", but the workflow does not enforce this and will run for any @claude mention in issue/PR comments. This can allow untrusted users to trigger runs (token spend) and potentially prompt the agent to act on sensitive repo context. Add an explicit actor/author_association guard in the job if: (e.g., restrict to OWNER, MEMBER, COLLABORATOR) or otherwise validate the commenter before running.
Copilot
AI
Mar 12, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PR description says the Anthropic API key is stored as ANTHROPIC_API_KEY, but the workflow now uses CLAUDE_CODE_OAUTH_TOKEN via claude_code_oauth_token. Please align the PR description and repository secret setup with the authentication method expected by this workflow to avoid post-merge failures.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Switching this workflow from
pull_request_targettopull_requestimproves safety, but note thatpull_requestworkflows do not receive repository secrets for PRs from forks. As written, this can cause failing checks on forked PRs due to missingCLAUDE_CODE_OAUTH_TOKEN. Consider adding a guard to skip whengithub.event.pull_request.head.repo.fork == true(or otherwise handle missing secrets gracefully).