Skip to content

[Tooling] Secure Claude workflows#533

Open
iangmaia wants to merge 6 commits into
trunkfrom
iangmaia/secure-claude-workflows
Open

[Tooling] Secure Claude workflows#533
iangmaia wants to merge 6 commits into
trunkfrom
iangmaia/secure-claude-workflows

Conversation

@iangmaia

@iangmaia iangmaia commented Jul 1, 2026

Copy link
Copy Markdown

Summary

  • Allow @claude review comments only from trusted commenters and skip Claude workflows on fork/external PRs before checkout or Claude execution.
  • Pin mutable action references and preserve the Claude action's required OIDC permission for GitHub App token exchange.
  • Keep review feedback inline-only where the workflow does not grant issue-comment permissions.

@iangmaia iangmaia self-assigned this Jul 1, 2026
@wpmobilebot

wpmobilebot commented Jul 1, 2026

Copy link
Copy Markdown

XCFramework Build

This PR's XCFramework is available for testing. Add the following to your Package.swift:

.package(url: "https://github.com/wordpress-mobile/GutenbergKit", branch: "pr-build/533")

Built from efe6030

@iangmaia iangmaia added the [Type] Enhancement A suggestion for improvement. label Jul 3, 2026
@iangmaia iangmaia requested a review from Copilot July 3, 2026 11:51

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the claude-review GitHub Actions workflow by preventing Claude from running (and preventing checkout) on fork/external PRs, while also pinning action references and limiting review output to inline comments only.

Changes:

  • Added a “PR origin” check via gh api and gated both checkout and Claude execution to internal PRs only.
  • Pinned actions/checkout and anthropics/claude-code-action to immutable commit SHAs and disabled credential persistence on checkout.
  • Removed top-level PR comment tooling/instructions so the workflow stays inline-only when issue-comment permissions aren’t granted.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/claude-review.yml Outdated
@iangmaia iangmaia force-pushed the iangmaia/secure-claude-workflows branch from 31cf2fb to efe6030 Compare July 3, 2026 13:55
@iangmaia iangmaia marked this pull request as ready for review July 3, 2026 13:55
@iangmaia iangmaia requested a review from a team as a code owner July 3, 2026 13:55
@iangmaia iangmaia requested a review from dcalhoun July 3, 2026 13:55
@iangmaia iangmaia changed the title Secure Claude workflows [Tooling] Secure Claude workflows Jul 3, 2026
@iangmaia iangmaia added the [Type] Build Tooling Issues or PRs related to build tooling label Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

[Type] Build Tooling Issues or PRs related to build tooling [Type] Enhancement A suggestion for improvement.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants