Skip to content

ci(claude): allow fork-PR authors to trigger Claude review #932

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kovtcharov-amd merged 1 commit into from
May 7, 2026
+18 −0
Merged

ci(claude): allow fork-PR authors to trigger Claude review #932

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions .github/workflows/claude.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,18 @@
#
# IMPORTANT: Never add steps that execute code from the PR (npm install, pip install, make, etc.)
#
# `allowed_non_write_users: "*"` on pr-review and issue-handler bypasses the action's
# built-in actor-permission gate so fork PRs from external contributors get auto-reviewed
# without a maintainer having to babysit. The action's own warning calls this "extreme
# caution" territory: a malicious fork's diff gets fed to Claude, which has Bash in
# --allowedTools and access to ANTHROPIC_API_KEY + GITHUB_TOKEN. Prompt injection in the
# diff could try to coerce Claude into running an exfiltration command. The action mitigates
# with subprocess secret scrubbing (CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1, auto-set when this
# input is non-empty) + a pinned bun binary + hardened PATH. We accept the residual risk
# in exchange for not maintaining a username allowlist. If a real injection lands, tighten
# this to a literal username list (no `author_association` values supported — checked
# upstream `src/github/validation/permissions.ts`, only literal usernames or `*`).
#
# NOTE: pull_request_target uses the workflow file from the BASE branch (main), not the PR head.
# Changes to this file only take effect after merging to main.
#
Expand Down Expand Up @@ -103,6 +115,9 @@ jobs:
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
github_token: ${{ secrets.GITHUB_TOKEN }}
# Allow fork-PR authors (no write perms) to trigger auto-review.
# See file header for the security trade-off.
allowed_non_write_users: "*"
prompt: |
Review this pull request following the custom_instructions exactly.
First read (in order): pr-diff.txt, pr-files.txt, CLAUDE.md, and the PR title/description via `gh pr view ${{ github.event.pull_request.number }}`.
Expand Down Expand Up @@ -518,6 +533,9 @@ jobs:
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
github_token: ${{ secrets.GITHUB_TOKEN }}
# Allow non-write users (fork-PR authors, external issue reporters) to invoke
# @claude. See file header for the security trade-off.
allowed_non_write_users: "*"
prompt: |
REPO: ${{ github.repository }}
ISSUE/PR NUMBER: ${{ github.event.issue.number }}
Expand Down
Loading