merge queue: embarking main (8f6b016), #2079 and #2083 together#2085
Closed
mergify[bot] wants to merge 7 commits intomainfrom
Closed
merge queue: embarking main (8f6b016), #2079 and #2083 together#2085mergify[bot] wants to merge 7 commits intomainfrom
mergify[bot] wants to merge 7 commits intomainfrom
Conversation
Run the claude-code-action inside a network sandbox to prevent data exfiltration to unauthorized hosts. Two layers of defense: - Squid proxy: L7 domain allowlist (.anthropic.com, .github.com, etc.) - iptables: blocks direct outbound TCP from the runner UID All dependencies (Bun, action node_modules, Claude Code CLI, OIDC token exchange) are pre-installed before lockdown because the action's internal installers use fetch() which ignores HTTP_PROXY. Also switches from --allowedTools to --dangerously-skip-permissions since the network sandbox handles security at the infrastructure level. update claude file with proper container setup fix: shellchecks fix zizmor warning ci(claude): rewrite workflow from template, address PR #1995 security review - Drop action wrapper, run claude CLI directly (avoids MCP stdin blocking) - Remove dead pull_request trigger - Separate GH_TOKEN from system prompt construction step - Tighten iptables: resolve Squid IP dynamically, block UDP/ICMP - Restrict squid allowlist to 3 domains (api.anthropic.com, platform.claude.com, github.com) - Cache Squid Docker image, add iptables save/restore cleanup - Add tracking comment for run visibility - Fix token revocation to use HTTPS_PROXY fix: replace A && B || C with proper if-then-else (SC2015) fix: capture error details instead of silent suppression OIDC exchange and token revocation now log the server response on failure instead of swallowing it with -sf/--silent/2>/dev/null. fix: shellcheck SC2001 and SC2015 in claude workflow Replace sed prompt extraction with parameter expansion (SC2001). chore: harden security practices chore: update claude action from secutiry
Author
🧪 CI InsightsHere's what we observed from your CI run for 84e396c. 🟢 All jobs passed!But CI Insights is watching 👀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
✨ Pull request #2079 which was ahead in the queue has been dequeued (for the following reason:
checks timeout). The pull request #2083 has been re-embarked. ✨Branch main (8f6b016), #2079 and #2083 are embarked together for merge.
This pull request has been created by Mergify to speculatively check the mergeability of #2083.
You don't need to do anything. Mergify will close this pull request automatically when it is complete.
Required conditions of queue
mainfor merge:#approved-reviews-by >= 1[🛡 GitHub branch protection]#changes-requested-reviews-by = 0[🛡 GitHub branch protection]#review-threads-unresolved = 0[🛡 GitHub branch protection]branch-protection-review-decision = APPROVED[🛡 GitHub branch protection]check-success = run-e2e-tests / fhevm-e2e-testcheck-success = common-pull-request/lint (bpr)check-neutral = common-pull-request/lint (bpr)check-skipped = common-pull-request/lint (bpr)check-skipped = coprocessor-cargo-listener-tests/cargo-tests (bpr)check-neutral = coprocessor-cargo-listener-tests/cargo-tests (bpr)check-success = coprocessor-cargo-listener-tests/cargo-tests (bpr)check-skipped = coprocessor-cargo-test/cargo-tests (bpr)check-neutral = coprocessor-cargo-test/cargo-tests (bpr)check-success = coprocessor-cargo-test/cargo-tests (bpr)check-skipped = coprocessor-dependency-analysis/dependencies-check (bpr)check-neutral = coprocessor-dependency-analysis/dependencies-check (bpr)check-success = coprocessor-dependency-analysis/dependencies-check (bpr)check-skipped = gateway-contracts-deployment-tests/sc-deploy (bpr)check-neutral = gateway-contracts-deployment-tests/sc-deploy (bpr)check-success = gateway-contracts-deployment-tests/sc-deploy (bpr)check-skipped = kms-connector-tests/test-connector (bpr)check-neutral = kms-connector-tests/test-connector (bpr)check-success = kms-connector-tests/test-connector (bpr)Required conditions to stay in the queue:
#approved-reviews-by >= 1[🛡 GitHub branch protection]#changes-requested-reviews-by = 0[🛡 GitHub branch protection]#review-threads-unresolved = 0[🛡 GitHub branch protection]base = mainbranch-protection-review-decision = APPROVED[🛡 GitHub branch protection]label!=do-not-mergecheck-success = common-pull-request/lint (bpr)check-neutral = common-pull-request/lint (bpr)check-skipped = common-pull-request/lint (bpr)check-skipped = coprocessor-cargo-listener-tests/cargo-tests (bpr)check-neutral = coprocessor-cargo-listener-tests/cargo-tests (bpr)check-success = coprocessor-cargo-listener-tests/cargo-tests (bpr)check-skipped = coprocessor-cargo-test/cargo-tests (bpr)check-neutral = coprocessor-cargo-test/cargo-tests (bpr)check-success = coprocessor-cargo-test/cargo-tests (bpr)check-skipped = coprocessor-dependency-analysis/dependencies-check (bpr)check-neutral = coprocessor-dependency-analysis/dependencies-check (bpr)check-success = coprocessor-dependency-analysis/dependencies-check (bpr)check-skipped = gateway-contracts-deployment-tests/sc-deploy (bpr)check-neutral = gateway-contracts-deployment-tests/sc-deploy (bpr)check-success = gateway-contracts-deployment-tests/sc-deploy (bpr)check-skipped = kms-connector-tests/test-connector (bpr)check-neutral = kms-connector-tests/test-connector (bpr)check-success = kms-connector-tests/test-connector (bpr)