Skip to content

[Tooling] Secure Claude workflows#25724

Open
iangmaia wants to merge 5 commits into
trunkfrom
iangmaia/secure-claude-workflows
Open

[Tooling] Secure Claude workflows#25724
iangmaia wants to merge 5 commits into
trunkfrom
iangmaia/secure-claude-workflows

Conversation

@iangmaia

@iangmaia iangmaia commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Allow @claude review comments only from trusted commenters and skip Claude workflows on fork/external PRs before checkout or Claude execution.
  • Pin mutable action references and preserve the Claude action's required OIDC permission for GitHub App token exchange.
  • Keep review feedback inline-only where the workflow does not grant issue-comment permissions.

@iangmaia iangmaia self-assigned this Jul 1, 2026
@dangermattic

Copy link
Copy Markdown
Collaborator
1 Message
📖 This PR is still a Draft: some checks will be skipped.

Generated by 🚫 Danger

@wpmobilebot

wpmobilebot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor
App Icon📲 You can test the changes from this Pull Request in WordPress by scanning the QR code below to install the corresponding build.
App NameWordPress
ConfigurationRelease-Alpha
Build Number32987
VersionPR #25724
Bundle IDorg.wordpress.alpha
Commite9bbc4e
Installation URL48khpfb2nqu7o
Automatticians: You can use our internal self-serve MC tool to give yourself access to those builds if needed.

@wpmobilebot

wpmobilebot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor
App Icon📲 You can test the changes from this Pull Request in Jetpack by scanning the QR code below to install the corresponding build.
App NameJetpack
ConfigurationRelease-Alpha
Build Number32987
VersionPR #25724
Bundle IDcom.jetpack.alpha
Commite9bbc4e
Installation URL3up2eividgr9g
Automatticians: You can use our internal self-serve MC tool to give yourself access to those builds if needed.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Hardens the claude-review GitHub Actions workflow by preventing Claude execution (and repository checkout) on external/fork PRs, and by pinning action references to immutable SHAs. This keeps the automated review surface area smaller for untrusted issue_comment events while maintaining inline-only review behavior.

Changes:

  • Add a pre-check step that queries the PR’s head repository and skips the workflow for external/fork PRs before checkout/Claude execution.
  • Pin actions/checkout and anthropics/claude-code-action to specific commit SHAs, and disable credential persistence on checkout.
  • Update the prompt/input wiring for issue_comment events and restrict Claude’s allowed tools to inline-only feedback.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/claude-review.yml
@iangmaia iangmaia force-pushed the iangmaia/secure-claude-workflows branch from e03cd09 to e9bbc4e Compare July 3, 2026 14:03
@iangmaia iangmaia changed the title Secure Claude workflows [Tooling] Secure Claude workflows Jul 3, 2026
@iangmaia iangmaia added Tooling Build, Release, and Validation Tools [Type] Tooling labels Jul 3, 2026
@iangmaia iangmaia marked this pull request as ready for review July 3, 2026 14:04
@iangmaia iangmaia requested a review from a team as a code owner July 3, 2026 14:04
@iangmaia iangmaia requested a review from wzieba July 3, 2026 14:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Tooling Build, Release, and Validation Tools [Type] Tooling

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants