Add agent-approval-check composite action by km-anthropic · Pull Request #1429 · anthropics/claude-code-action

km-anthropic · 2026-06-23T08:02:28Z

What this does

Adds agent-approval-check: a composite action that requires N human approvals on any PR containing agent-authored commits (Claude / Claude Code / any configured bot). It posts an agent-approval-check commit status that repos mark as a required check on protected branches; PRs without agent activity pass through untouched.

Users drop one workflow file into .github/workflows/ (see examples/agent-approval-check.yml) and add the status to branch protection.

Why

We want a drop-in answer to "how do I make sure a human reviewed what Claude pushed before it merges." This is the gate Anthropic already runs internally on every agent-authored PR.

What changed

agent-approval-check/
  action.yml                     composite wrapper (setup-python → pip install → run)
  agent_approval_check.py        sanitized port of the internal check (~1760 LoC)
  agent-identities.example.yaml  optional config-file form of the inputs
  README.md                      setup, inputs, approving, threat model
examples/agent-approval-check.yml  one-file user workflow

Security-load-bearing logic kept verbatim: agent detection (committer email ∪ PR-author login ∪ agent-submitted APPROVED review), /approve <sha> parsing pinned to head, dedup'd approver counting, the sibling-PR-same-SHA guard, >250-commit fail-closed, and exit-nonzero-on-error.

How we know it works

A pre-publish secret/internal-reference scan came back clean (no internal hostnames, links, tokens, or package imports).

After merge

Tag agent-approval-check-v1 (or fold into the next action release tag).
Link from the Claude Code GitHub-integration docs as the recommended guard for agent-authored PRs.

🤖 Generated with Claude Code

Require N human approvals on PRs that contain agent-authored commits. Posts an agent-approval-check commit status that repos mark as a required check on protected branches. This is a sanitized port of the check Anthropic runs internally on every agent-authored PR — same detection rules, /approve <sha> comment flow, sibling-PR-same-SHA guard, and fail-closed semantics, with the Anthropic-specific path exemptions and kill-switch removed and config moved to action inputs. Co-Authored-By: Claude <noreply@anthropic.com>

…ation + doc fixes 🏠 Remote-Dev: homespace

🏠 Remote-Dev: homespace

…its(last:100); docstring 🏠 Remote-Dev: homespace

…r and correct threat-model docs 🏠 Remote-Dev: homespace

…cstring API-call count 🏠 Remote-Dev: homespace

…dge; drop stale 'reviewed' from README 🏠 Remote-Dev: homespace

…fy author write-access requirement in README 🏠 Remote-Dev: homespace

…ass); validate REQUIRED_APPROVALS>=1; exempt_head_branches warning 🏠 Remote-Dev: homespace

bboswell-ant

Seems like it might be worth shipping this with an example folder that contains safe and secure usage examples. A few security risks/foot guns are in here as it sits:

We default a few things to unsafe states and leave comments for users to fix it with no guidance.
- action.yml (27-31)
- README.md (82)
We don't provide unit tests across any of the logic that's independent of the api layer.
We don't have safe dependency management (see comments)

bboswell-ant · 2026-06-23T17:47:05Z

+    if: github.event_name != 'issue_comment' || github.event.issue.pull_request
+    runs-on: ubuntu-latest
+    steps:
+      - uses: anthropics/claude-code-action/agent-approval-check@main


Tis is a mutable reference that pulls in and run s code in the users environment with write permissions to their environment.

Upside, users get the latest version of what's in main by default. Self patching, always up to date.

Downslide, as we've seen this pattern with libraries as static imports opens the door to malicious code. In this case it's malicious code with write access to their environment.

Probably worth a comment and an example line for how to pin this and to control this as users would with any other code resource.

bboswell-ant · 2026-06-23T17:47:05Z

+    - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+      with:
+        python-version: "3.12"
+    - run: pip install 'httpx==0.28.1' 'pyyaml==6.0.3' 'tenacity==9.1.4'


These are 3 pretty common libraries that could/should be hash pinned for the commit given that we're fully specifying the semantic version.

arian-gogani · 2026-06-24T17:42:57Z

the agent-authored commit detection is the right gate — human approval before merge for agent work.

one layer worth adding alongside the N-approvals gate: a verifiable audit trail proving what the agent actually did during the PR, not just that humans approved it. the approval proves humans were asked; the receipt proves what they were approving.

the gap: if Claude authored 50 commits, the approval check confirms N humans approved the PR. it doesn't provide a tamper-evident record of which tool calls Claude made, what scope they operated within, and whether the commits match what was approved.

the receipt layer for claude-code-action: each tool call (file write, shell command, API call) produces a signed receipt before and after execution. the receipt chain for the PR is exportable and verifiable by any reviewer against the public key — no GitHub infrastructure required.

action_ref = SHA-256(JCS({agent_id, action_type, scope, timestamp_ms})) — the agent_id maps to the Claude model + session, action_type is the tool name, scope is the file path or resource. a security reviewer can verify: 'did Claude only touch the files it said it would, in the scope it was given?'

pip install nobulex — bilateral receipt shape in agentrust-io/integrations#6. this composes with the approval gate: approval checks human sign-off, receipts check agent scope compliance.

km-anthropic marked this pull request as ready for review June 23, 2026 08:05

Drop stray internal acronym from comment

87354dc

km-anthropic enabled auto-merge (squash) June 23, 2026 08:12