-
Notifications
You must be signed in to change notification settings - Fork 114
Fix Claude Review error #100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -108,6 +108,7 @@ jobs: | |||||
| with: | ||||||
| anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} | ||||||
| github_token: ${{ secrets.GITHUB_TOKEN }} | ||||||
| allowed_non_write_users: "*" | ||||||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Setting Useful? React with 👍 / 👎. |
||||||
|
|
||||||
| # Enable progress tracking and show full Claude output in logs | ||||||
| track_progress: true | ||||||
|
|
@@ -148,4 +149,4 @@ jobs: | |||||
|
|
||||||
| # Restrict tools that Claude can use during the review | ||||||
| claude_args: | | ||||||
| --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)" | ||||||
| --allowedTools "mcp__github__,mcp__github_inline_comment__,Bash(gh)" | ||||||
|
||||||
| --allowedTools "mcp__github__,mcp__github_inline_comment__,Bash(gh)" | |
| --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh(pr comment,pr diff,pr view))" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Restrict Claude Bash access to specific gh subcommands
In the workflow section I inspected (.github/workflows/claude-review.yml), changing --allowedTools to Bash(gh) grants Claude access to run any GitHub CLI command, while this job’s token still has pull-requests: write, issues: write, and actions: write. That materially expands the blast radius from “review/comment” into repository mutation if the model is steered by untrusted PR content or prompt injection; the allowlist should stay scoped to the minimal gh subcommands required for review.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Setting allowed_non_write_users to "*" allows anyone (including external contributors without write access) to trigger Claude code reviews by mentioning
@claudein comments. This could enable malicious actors to:If this is intentional for an open-source project, consider adding rate limiting or restricting this to specific users/organizations instead of a wildcard. If not intentional, remove this line to use the default behavior which typically restricts triggering to users with write access.