Skip to content

Fix Claude workflow scope for pushing workflow files #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jonathanpopham merged 1 commit into from
Mar 3, 2026
Merged

Fix Claude workflow scope for pushing workflow files #13

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/claude.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ jobs:
uses: anthropics/claude-code-action@v1
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
github_token: ${{ secrets.BOT_TOKEN }}
Copy link

@coderabbitai coderabbitai bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/claude.yml | head -80

Repository: supermodeltools/supermodeltools.github.io

Length of output: 2034

🏁 Script executed:

grep -A 20 "^jobs:" .github/workflows/claude.yml | head -30

Repository: supermodeltools/supermodeltools.github.io

Length of output: 864

Gate this workflow to trusted authors—anyone can trigger it right now.

Your workflow runs on user comments (issue_comment, pull_request_review_comment, etc.), and right now any random person can write @claude in an issue to trigger it. The job then runs with write permissions and passes your BOT_TOKEN secret to the Claude action. That's risky.

Think of it like this: you're telling a stranger "Hey, anytime you write a magic word, my bot will show up and do stuff with full write access to my repo."

The fix is simple—add a trust check to the job condition. GitHub gives us the author_association field for exactly this purpose. It tells us if the commenter is the owner, a team member, a collaborator, or a random public person.

Add author trust check to the job condition 
 jobs:
   claude:
     if: |
-      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
-      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+      (github.event_name == 'issue_comment' &&
+       contains(github.event.comment.body, '@claude') &&
+       contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
+      (github.event_name == 'pull_request_review_comment' &&
+       contains(github.event.comment.body, '@claude') &&
+       contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
+      (github.event_name == 'pull_request_review' &&
+       contains(github.event.review.body, '@claude') &&
+       contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association)) ||
+      (github.event_name == 'issues' &&
+       (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) &&
+       contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association))
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude.yml at line 38, Add a job-level trust check so the
workflow only runs for trusted commenters instead of any user; update the job
that uses the BOT_TOKEN/github_token to include an if: condition checking the
event commenter’s author_association (e.g., use
contains('OWNER,CONTRIBUTOR,COLLABORATOR,MEMBER',
github.event.comment.author_association) or equivalent) so only those
associations can trigger the job, and keep the existing github_token: ${{
secrets.BOT_TOKEN }} usage unchanged.

allowed_bots: "claude[bot]"
additional_permissions: |
actions: read
Expand Down