Skip to content

[Tooling] Secure Claude workflows#23056

Open
iangmaia wants to merge 5 commits into
trunkfrom
iangmaia/secure-claude-workflows
Open

[Tooling] Secure Claude workflows#23056
iangmaia wants to merge 5 commits into
trunkfrom
iangmaia/secure-claude-workflows

Conversation

@iangmaia

@iangmaia iangmaia commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Allow @claude review comments only from trusted commenters and skip Claude workflows on fork/external PRs before checkout or Claude execution.
  • Pin mutable action references and preserve the Claude action's required OIDC permission for GitHub App token exchange.
  • Keep review feedback inline-only where the workflow does not grant issue-comment permissions.

@iangmaia iangmaia self-assigned this Jul 1, 2026
@dangermattic

dangermattic commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator
1 Warning
⚠️ PR is not assigned to a milestone.

Generated by 🚫 Danger

@wpmobilebot

wpmobilebot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

App Icon📲 You can test the changes from this Pull Request in WordPress Android by scanning the QR code below to install the corresponding build.

App NameWordPress Android
Build TypeDebug
Versionpr23056-7bd88fa
Build Number1498
Application IDorg.wordpress.android.prealpha
Commit7bd88fa
Installation URL4vq3cfqloqkh0
Automatticians: You can use our internal self-serve MC tool to give yourself access to those builds if needed.

@wpmobilebot

wpmobilebot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

App Icon📲 You can test the changes from this Pull Request in Jetpack Android by scanning the QR code below to install the corresponding build.

App NameJetpack Android
Build TypeDebug
Versionpr23056-7bd88fa
Build Number1498
Application IDcom.jetpack.android.prealpha
Commit7bd88fa
Installation URL1kg1dkvd03k00
Automatticians: You can use our internal self-serve MC tool to give yourself access to those builds if needed.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Hardens the claude-review GitHub Actions workflow to reduce exposure when triggered via issue_comment by ensuring Claude and checkout do not run for external/fork PRs, while also pinning action references and constraining review output to inline-only.

Changes:

  • Adds an early PR-origin check (via gh api) and gates both checkout and Claude execution to internal PRs only.
  • Pins actions/checkout and anthropics/claude-code-action to immutable SHAs and disables credential persistence on checkout.
  • Updates the Claude prompt/tooling to use the issue_comment PR number and removes top-level PR commenting capability.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/claude-review.yml
@iangmaia iangmaia force-pushed the iangmaia/secure-claude-workflows branch from 7e96ab4 to 7bd88fa Compare July 3, 2026 13:56
@iangmaia iangmaia changed the title Secure Claude workflows [Tooling] Secure Claude workflows Jul 3, 2026
@iangmaia iangmaia marked this pull request as ready for review July 3, 2026 14:02
@iangmaia iangmaia requested a review from a team as a code owner July 3, 2026 14:02
@iangmaia iangmaia requested a review from wzieba July 3, 2026 14:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants