Conversation
- Delete codex-pr-description.yml and its prompt file - Add claude-pr-description.yml: generates structured Chinese PR descriptions using Claude, with deep Issue/PR discovery - Only triggers on PR opened (not every sync) - Directly replaces PR body instead of marker-based upsert - Update CI_CD_SETUP.md to reflect the change
All 8 Claude workflows now read vars.CLAUDE_MODEL, defaulting to claude-sonnet-4-5-20250929. Change the model for all workflows at once via Settings → Variables → CLAUDE_MODEL.
github-actions
bot
added
area/ci
Review Summary by QodoReplace Codex PR Description with Claude and make model configurable
WalkthroughsDescription• Replace Codex PR Description with Claude-based auto-generation - Deletes OpenAI Codex workflow and prompt - Adds new Claude workflow with deep Issue/PR discovery - Triggers only on PR opened (not every sync) - Directly replaces PR body instead of marker-based upsert • Make Claude model configurable across all 8 workflows - All workflows now read vars.CLAUDE_MODEL variable - Defaults to claude-sonnet-4-5-20250929 - Enables centralized model management via Settings • Remove PR template, replaced by Claude auto-description - Deletes .github/pull_request_template.md - Reduces manual template maintenance burden • Update CI/CD documentation to reflect changes - Updates .github/CI_CD_SETUP.md with new workflow details - Documents new trigger conditions and API requirements Diagramflowchart LR
A["Codex PR Description<br/>OpenAI API"] -->|removed| B["Claude PR Description<br/>Anthropic API"]
C["PR opened event"] -->|triggers| B
B -->|deep discovery| D["Issue/PR linking"]
B -->|generates| E["Structured Chinese<br/>description"]
F["vars.CLAUDE_MODEL"] -->|configures| B
F -->|configures| G["8 Claude workflows"]
H["PR template"] -->|removed| I["Auto-generated<br/>descriptions"]
File Changes1. .github/CI_CD_SETUP.md
|
Greptile OverviewGreptile Summary此 PR 将 PR 描述生成从 OpenAI Codex 迁移到 Anthropic Claude,并在所有 Claude 工作流中添加了可配置的模型参数。 主要变更
发现的问题关键问题
改进建议
Confidence Score: 2/5
|
| Filename | Overview |
|---|---|
| .github/workflows/claude-pr-description.yml | New workflow replacing Codex - has security concern with checkout configuration and missing validation |
| .github/workflows/codex-pr-description.yml | File deleted - replaced by Claude PR Description workflow |
| .github/pull_request_template.md | Template removed - relying on AI generation, may impact manual PR creation workflow |
Sequence Diagram
sequenceDiagram
participant User
participant GitHub
participant PR as Pull Request
participant Claude as Claude PR Description
participant API as Anthropic API
User->>GitHub: Open Pull Request
GitHub->>Claude: Trigger workflow (pull_request_target: opened)
Note over Claude: Check if actor ends with [bot]
Claude->>GitHub: Checkout repository (base branch)
Claude->>GitHub: gh pr view - Get PR metadata
Claude->>GitHub: gh pr diff - Get changes
Claude->>GitHub: gh search issues - Find related issues
Claude->>GitHub: gh issue list - List all issues
Note over Claude: Analyze changes and relevance<br/>Generate Chinese description
Claude->>API: Call Anthropic API with prompt
API-->>Claude: Return AI-generated description
Claude->>GitHub: gh pr edit - Update PR body
GitHub->>PR: Update description
Note over PR: Description now contains:<br/>概要, 问题, 解决方案, 变更内容<br/>由 Claude AI 自动生成
PR-->>User: Show updated description
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| - name: Checkout repository | ||
| uses: actions/checkout@v5 | ||
| with: | ||
| fetch-depth: 0 |
There was a problem hiding this comment.
Security concern: when using pull_request_target without specifying a ref, checkout@v5 checks out the base branch (not PR head), which is safe. However, this differs from the old Codex workflow which explicitly checked out base.sha. The current config may checkout the latest base commit instead of the merge base, potentially analyzing different code than what will be merged.
Consider explicitly specifying:
| - name: Checkout repository | |
| uses: actions/checkout@v5 | |
| with: | |
| fetch-depth: 0 | |
| - name: Checkout repository | |
| uses: actions/checkout@v5 | |
| with: | |
| ref: ${{ github.event.pull_request.base.sha }} | |
| fetch-depth: 0 |
| ANTHROPIC_BASE_URL: ${{ secrets.ANTHROPIC_BASE_URL }} | ||
| with: | ||
| anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} | ||
| github_token: ${{ secrets.GITHUB_TOKEN || secrets.GH_PAT }} |
There was a problem hiding this comment.
Using secrets.GITHUB_TOKEN as fallback will fail because secrets.GITHUB_TOKEN doesn't exist - the correct syntax is just github.token. The current expression will always evaluate to secrets.GH_PAT when github.token is empty.
| github_token: ${{ secrets.GITHUB_TOKEN || secrets.GH_PAT }} | |
| github_token: ${{ github.token }} |
Additional Comments (1)
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time! |
Code Review by Qodo
1. pull_request_target allows untrusted runs
|
![qodo-code-review[bot]](https://avatars.githubusercontent.com/in/484649?s=60&v=4){kind=small}
| on: | ||
| pull_request_target: | ||
| types: [opened] | ||
|
|
||
| jobs: | ||
| pr-description: | ||
| if: "!endsWith(github.actor, '[bot]')" | ||
| runs-on: ubuntu-latest | ||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.event.pull_request.number }} | ||
| cancel-in-progress: false | ||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v5 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Run Claude Code for PR Description Enhancement | ||
| uses: anthropics/claude-code-action@v1 | ||
| env: | ||
| ANTHROPIC_BASE_URL: ${{ secrets.ANTHROPIC_BASE_URL }} | ||
| with: | ||
| anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} | ||
| github_token: ${{ secrets.GITHUB_TOKEN || secrets.GH_PAT }} | ||
| allowed_non_write_users: "*" | ||
|
|
There was a problem hiding this comment.
1. pull_request_target allows untrusted runs 📘 Rule violation ⛨ Security
• The new workflow runs on pull_request_target with pull-requests: write and provides ANTHROPIC_API_KEY/GITHUB_TOKEN (or GH_PAT) to an action that can execute Bash(*) tools. • It explicitly sets allowed_non_write_users: "*", meaning untrusted external contributors can trigger a privileged workflow, creating a high risk of secret exfiltration or unauthorized PR modification. • This violates the requirement to implement proper authentication/authorization controls when handling external inputs (PRs from non-trusted users).
Agent Prompt
## Issue description
The workflow `.github/workflows/claude-pr-description.yml` is triggered by `pull_request_target` and allows any non-write user (`allowed_non_write_users: "*"`) to run an action that can execute `Bash(*)` while receiving secrets/tokens and `pull-requests: write` permission. This is a missing authorization control for untrusted PR authors and can enable secret exfiltration or unauthorized PR edits.
## Issue Context
PR content (title/body/diff) is an external/untrusted input. Using `pull_request_target` + secrets + write permissions should be restricted to trusted actors (e.g., repo members) or redesigned to avoid exposing secrets on untrusted PRs.
## Fix Focus Areas
- .github/workflows/claude-pr-description.yml[3-32]
- .github/workflows/claude-pr-description.yml[14-17]
- .github/workflows/claude-pr-description.yml[25-32]
- .github/workflows/claude-pr-description.yml[194-195]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| env: | ||
| ANTHROPIC_BASE_URL: ${{ secrets.ANTHROPIC_BASE_URL }} | ||
| with: | ||
| anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} |
There was a problem hiding this comment.
[ERROR-SILENT] Missing API key validation
The new claude-pr-description.yml workflow does not validate the presence of ANTHROPIC_API_KEY before attempting to use it. Other Claude workflows in this repo include explicit validation steps.
Evidence:
.github/workflows/claude-pr-description.yml:29- Uses${{ secrets.ANTHROPIC_API_KEY }}without validation- Compare with
.github/workflows/claude-pr-review.yml:18-21which validates the key first
Impact:
- Workflow will fail silently or with unclear error messages when the secret is not configured
- Users will not receive actionable feedback about missing configuration
Suggested fix:
steps:
- name: Validate Anthropic configuration
run: |
if [ -z "${{ secrets.ANTHROPIC_API_KEY }}" ]; then
echo "::error::Missing required secret ANTHROPIC_API_KEY (Settings → Secrets and variables → Actions)."
exit 1
fi
- name: Checkout repository
uses: actions/checkout@v5Confidence: 95 (NEW code +30, Exact line +20, Violated guideline +20, Runtime error +15, Critical path +10)
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v5 |
There was a problem hiding this comment.
[SECURITY-VULNERABILITY] Unsafe checkout in pull_request_target
Using pull_request_target with default checkout is a critical security vulnerability. The workflow checks out the base branch (main) instead of the PR branch, so Claude will analyze the wrong code.
Evidence:
.github/workflows/claude-pr-description.yml:4- Usespull_request_target.github/workflows/claude-pr-description.yml:19-22- Checks out without specifyingref
Impact:
- CRITICAL: The workflow will analyze the base branch code, not the PR changes
- PR descriptions will be incorrect and misleading
- Wasted API calls analyzing wrong code
Root cause:
pull_request_target runs in the context of the base branch for security. To analyze PR code, you must explicitly check out the PR head ref.
Suggested fix:
- name: Checkout repository
uses: actions/checkout@v5
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0Confidence: 100 (NEW code +30, Exact line +20, Violated guideline +20, Security +15, Critical path +10, Runtime error +15)
| ANTHROPIC_BASE_URL: ${{ secrets.ANTHROPIC_BASE_URL }} | ||
| with: | ||
| anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} | ||
| github_token: ${{ secrets.GITHUB_TOKEN || secrets.GH_PAT }} |
There was a problem hiding this comment.
[SECURITY-VULNERABILITY] Potential token privilege escalation
Using secrets.GITHUB_TOKEN || secrets.GH_PAT creates a security risk. If GH_PAT has broader permissions than the default GITHUB_TOKEN, it could be exploited by malicious PRs.
Evidence:
.github/workflows/claude-pr-description.yml:30-github_token: ${{ secrets.GITHUB_TOKEN || secrets.GH_PAT }}- Combined with
pull_request_targetandallowed_non_write_users: "*"at line 31
Impact:
- Malicious PRs from untrusted users could trigger actions with elevated permissions
GH_PATtypically has broader repo access than workflow-scopedGITHUB_TOKEN- With
allowed_non_write_users: "*", any external contributor can trigger this
Root cause:
The fallback to GH_PAT is unnecessary for this workflow. The default github.token has sufficient permissions for PR operations.
Suggested fix:
github_token: ${{ github.token }}Remove the GH_PAT fallback entirely. If you need it for specific repos, document why and add explicit security controls.
Confidence: 90 (NEW code +30, Exact line +20, Security +15, Violated guideline +20, User experience +10)
There was a problem hiding this comment.
Code Review Summary
This PR migrates PR description generation from OpenAI Codex to Claude Code. While the migration is well-intentioned, the new workflow contains critical security vulnerabilities and functional bugs that will prevent it from working correctly.
PR Size: M
Issues Found
| Category | Critical | High | Medium | Low |
|---|---|---|---|---|
| Security | 2 | 0 | 0 | 0 |
| Error Handling | 1 | 0 | 0 | 0 |
| Total | 3 | 0 | 0 | 0 |
Critical Issues
-
[SECURITY-VULNERABILITY] Unsafe checkout in pull_request_target (.github/workflows/claude-pr-description.yml:20)
- The workflow checks out the base branch instead of the PR branch
- Claude will analyze the wrong code, generating incorrect descriptions
- Must fix before merge
-
[SECURITY-VULNERABILITY] Token privilege escalation risk (.github/workflows/claude-pr-description.yml:30)
- Using
secrets.GITHUB_TOKEN || secrets.GH_PATwithallowed_non_write_users: "*"allows untrusted users to trigger actions with elevated permissions - Must fix before merge
- Using
-
[ERROR-SILENT] Missing API key validation (.github/workflows/claude-pr-description.yml:29)
- No validation for
ANTHROPIC_API_KEYpresence - Workflow will fail with unclear error messages
- Other Claude workflows in this repo include proper validation
- No validation for
Positive Changes
- ✅ Consistent model configuration via
vars.CLAUDE_MODELacross all workflows - ✅ Proper concurrency control with
cancel-in-progress: false - ✅ Bot filtering with
\!endsWith(github.actor, '[bot]') - ✅ Comprehensive prompt with prompt injection protection
Review Coverage
- Logic and correctness
- Security (OWASP Top 10)
- Error handling
- Type safety
- Documentation accuracy
- Test coverage
- Code clarity
Recommendation
REQUEST CHANGES - The critical security vulnerabilities and functional bugs must be fixed before this can be merged. The checkout issue alone will cause the workflow to analyze the wrong code 100% of the time.
Automated review by Claude AI
|
REPO="${PR_REPO:-$GITHUB_REPOSITORY}"
PR="${PR_NUMBER:-23}"
LATEST_COMMIT_SHA="a2fa84d4203ce7f2838cb88c04549fd558d1f860"
# Size (computed: 214+205=419 lines across 11 files => M)
gh pr edit "$PR" --repo "$REPO" --add-label "size/M"Inline comment(s)REPO="${PR_REPO:-$GITHUB_REPOSITORY}"
PR="${PR_NUMBER:-23}"
LATEST_COMMIT_SHA="a2fa84d4203ce7f2838cb88c04549fd558d1f860"
gh api "repos/$REPO/pulls/$PR/comments" \
-f body="$(cat <<'EOF'
**[Critical]** [SECURITY-VULNERABILITY] `pull_request_target` checks out PR head SHA with secrets available
**Why this is a problem**: This job runs on `pull_request_target` (base-repo privileges + access to secrets) but checks out the PR head SHA:
- Offending line: `ref: ${{ github.event.pull_request.head.sha }}` (`.github/workflows/claude-pr-description.yml:29`)
That places untrusted PR code into the workspace in the same job that can access `secrets.ANTHROPIC_API_KEY` and a write-capable GitHub token, creating a secret-exfiltration path (especially for fork PRs). This contradicts the repo’s documented security design: `- **不 checkout PR head/merge 代码**,审查基于 GitHub API 获取的 diff(避免执行不受信任代码)` (`.github/CI_CD_SETUP.md:51`) and the existing safe pattern (`.github/workflows/claude-pr-review.yml:101-105`).
**Suggested fix**:
```yaml
on:
pull_request_target:
types: [opened]
jobs:
pr-description:
if: >
!endsWith(github.actor, '[bot]') &&
github.event.pull_request.draft == false
steps:
- name: Checkout base (safe)
uses: actions/checkout@v5
with:
ref: ${{ github.event.pull_request.base.sha }}
fetch-depth: 0EOF |
…tion - Add ANTHROPIC_API_KEY validation step (consistent with other workflows) - Checkout PR head SHA instead of base branch so Claude analyzes the actual PR changes
There was a problem hiding this comment.
Code Review Summary
Critical Security Issue Found
I've identified 1 CRITICAL security vulnerability that must be addressed before merging.
[SECURITY-VULNERABILITY] Untrusted code execution in pull_request_target
Location: .github/workflows/claude-pr-description.yml:4-5, 29, 39, 202
Confidence: 95 (NEW code +30, Exact line +20, Security +15, Violated guideline +20, Critical path +10)
Issue:
This workflow uses pull_request_target with allowed_non_write_users: "*" and checks out untrusted PR code (head.sha), then grants Claude Bash(*) permissions. This allows any external contributor to execute arbitrary commands in the repository context with write access to PRs.
Attack scenario:
- Attacker opens PR with malicious code in comments/filenames
- Workflow checks out attacker's code (line 29)
- Claude reads malicious instructions from PR diff
- Despite "prompt injection protection" in line 55, Claude has
Bash(*)and can be manipulated through carefully crafted file content - Attacker gains ability to exfiltrate
ANTHROPIC_API_KEY, modify other PRs, or access repository secrets
Evidence:
- Line 4-5:
pull_request_target: [opened]- runs in base repo context with secrets - Line 29:
ref: ${{ github.event.pull_request.head.sha }}- checks out untrusted code - Line 39:
allowed_non_write_users: "*"- allows any external contributor - Line 202:
allowedTools Read,Bash(*),Grep,Glob- grants shell access
Recommended Fix:
# Option 1: Use pull_request instead (no write access to base repo)
on:
pull_request:
types: [opened]
# Option 2: If pull_request_target is required, restrict to trusted users only
with:
allowed_non_write_users: "" # Only allow repo collaborators
# Option 3: Don't checkout PR code, only use base branch
- name: Checkout repository
uses: actions/checkout@v5
with:
ref: ${{ github.event.pull_request.base.sha }} # Safe: base branch onlyReferences:
- GitHub Security Lab: Keeping your GitHub Actions and workflows secure Part 1
- Similar pattern in other workflows (claude-review-responder.yml, claude-mention-responder.yml) should also be audited
PR Size: M (419 lines changed, 11 files)
Issues Found
| Category | Critical | High | Medium | Low |
|---|---|---|---|---|
| Security | 1 | 0 | 0 | 0 |
| Error Handling | 0 | 0 | 0 | 0 |
| Type Safety | 0 | 0 | 0 | 0 |
| Logic | 0 | 0 | 0 | 0 |
| Total | 1 | 0 | 0 | 0 |
Review Coverage
- Logic and correctness
- Security (OWASP Top 10)
- Error handling
- Type safety
- Documentation accuracy
- Test coverage
- Code clarity
Other Observations (Not Issues)
Positive changes:
- Migration from OpenAI to Anthropic Claude is well-structured
- Model parameter override via
vars.CLAUDE_MODELis a good practice for flexibility - Prompt injection protection is mentioned in the new workflow (line 55)
- API key validation step (lines 19-24) prevents silent failures
Non-blocking notes:
- The new workflow only triggers on
opened, notsynchronize. This means PR descriptions won't update as code changes. This is intentional per the documentation but may cause description drift. - Removal of
.github/pull_request_template.mdreduces contributor guidance. Consider if this trade-off is acceptable. - The workflow replaces entire PR body rather than upserting a section (unlike the old Codex workflow). This is more aggressive but cleaner.
Recommendation: 🔴 DO NOT MERGE until the critical security issue is resolved.
Automated review by Claude AI
1 participant
变更说明
关联 Issue / 需求
自测方式
cd backend && uv run uvicorn app.main:app --reload --port 8090cd frontend && pnpm --filter @whalewhisper/web dev风险 & 回滚
Checklist
PR Checks)通过📝 PR 说明(Codex 自动生成)
Codex PR Description(openai/codex-action)切换为Claude PR Description(anthropics/claude-code-action),并在.github/CI_CD_SETUP.md中同步更新触发条件与所需密钥(由OPENAI_API_KEY改为ANTHROPIC_API_KEY)。同时删除旧的 Codex 描述工作流/Prompt 文件与仓库 PR 模板,并为现有 Claude 系列 workflows 增加可通过vars.CLAUDE_MODEL覆盖的模型参数(默认claude-sonnet-4-5-20250929)。ANTHROPIC_API_KEY(可选ANTHROPIC_BASE_URL);如不使用默认secrets.GITHUB_TOKEN,则提供GH_PAT(workflow 使用secrets.GITHUB_TOKEN || secrets.GH_PAT)。pull_request_target: opened触发),并保持 PR 描述较短/不完整以便触发生成逻辑。Claude PR Description成功执行,并检查 PR body 是否被更新为中文结构化模板;同时确认旧的Codex PR Descriptionworkflow 不再出现。4.(可选)设置仓库变量
CLAUDE_MODEL,验证其他 Claude workflows 的claude_args会携带该 model。pull_request_target且会checkoutPR 的head.sha,并允许 Claude 执行Bash(*)/gh pr edit来直接改写整段 PR body;对来自 fork/非写权限贡献者的安全策略需要确认(allowed_non_write_users: "*")。opened:后续提交(synchronize)不会自动刷新描述,可能导致描述与最终代码不一致。codex-pr-description后,如分支保护/required checks 仍引用旧检查项名称,可能造成合并被阻塞。.github/pull_request_template.md可能降低提交 PR 时的填写引导。