ci: harden Claude workflows (gate @claude, skip-fork PR review)#15
Merged
Conversation
Mirrors the hardening applied to mcp-server-synology: - claude.yml: @claude ran on privileged comment/issue events (secrets, contents: write, PR-head checkout) gated only by sender != Bot + the text "@claude" — so ANY non-bot user could trigger it. Add a per-event author_association gate (OWNER/MEMBER/COLLABORATOR), bound to the actor of the firing event so an untrusted commenter can't pass via a trusted issue author on a maintainer-owned issue/PR. - claude-review.yml: gate the review job to same-repo PRs (head.repo == this repo). Fork PRs are skipped — no failing check, zero token spend, no secret exposure. Fork review on demand via gated @claude.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Ports the CI hardening from
mcp-server-synologyto this repo. The workflows here were the same template and carried the same two issues.1.
claude.yml— restrict@claudeto trusted users (HIGH)@clauderuns onissue_comment/pull_request_review_comment/pull_request_review/issues— privileged events (default-branch context, secrets,contents: write, PR-head checkout) that are not covered by the fork-PR approval gate. The oldif:only requiredsender != Bot+ the text@claude, so any non-bot GitHub user could trigger a secrets-bearing, write-capable run.Adds a per-event author-association gate (OWNER/MEMBER/COLLABORATOR), bound to the actor of the firing event. The binding is per-event on purpose: an
issue_commentpayload carries bothcommentandissue, so a blanket OR would let an untrusted commenter pass via the trusted issue author on a maintainer-owned issue/PR.2.
claude-review.yml— gate review to same-repo PRsThe review job now requires
head.repo.full_name == github.repository, so fork PRs are skipped (no failing check, zero token spend, no secret exposure). Same-repo PRs auto-review; fork review is on-demand via the now-gated@claude.Note on this PR's own check
The
reviewcheck will 401 (Workflow validation failed) because this PR editsclaude-review.yml— by-design anti-tampering, not a real failure; the message itself says to ignore it. Safe to merge despite that one red check.🤖 Generated with Claude Code