Skip to content

fix: multiple improvements for gh workflows #6306

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
wjones127 merged 1 commit into from
Mar 26, 2026
Merged

fix: multiple improvements for gh workflows #6306

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 6 additions & 12 deletions .github/workflows/claude-code-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Claude Code Review

on:
pull_request_target:
pull_request:
types: [opened]
# Optional: Only run on specific file changes
# paths:
Expand All @@ -14,14 +14,7 @@ jobs:
claude-review:
if: |
github.event.pull_request.author_association == 'MEMBER' ||
github.event.pull_request.author_association == 'COLLABORATOR' ||
github.event.pull_request.author_association == 'OWNER' ||
github.event.pull_request.author_association == 'CONTRIBUTOR'
# Optional: Filter by PR author
# if: |
# github.event.pull_request.user.login == 'external-contributor' ||
# github.event.pull_request.user.login == 'new-developer' ||
# github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
github.event.pull_request.author_association == 'OWNER'

runs-on: ubuntu-latest
permissions:
Expand All @@ -37,11 +30,12 @@ jobs:

- name: Run Claude Code Review
id: claude-review
uses: anthropics/claude-code-action@26ec041249acb0a944c0a47b6c0c13f05dbc5b44 # v1
uses: anthropics/claude-code-action@3ac52d0da9f8ec9ca7b4dc23bb477e36ef9c77a9 # v1.0.79
env:
CLAUDE_CODE_SUBPROCESS_ENV_SCRUB: '1'
Copy link
Copy Markdown
Member

@westonpace westonpace Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a comment explaining what this does?

Copy link
Copy Markdown
Contributor Author

@esteban esteban Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated the right version, hash should be 3ac52d0da9f8ec9ca7b4dc23bb477e36ef9c77a9 for 1.0.79: anthropics/claude-code-action@3ac52d0

Copy link
Copy Markdown
Member

@westonpace westonpace Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I meant, what is CLAUDE_CODE_SUBPROCESS_ENV_SCRUB? I don't want someone turning it off in the future.

with:
anthropic_api_key: ${{ secrets.CLAUDE_TOKEN }}
github_token: ${{ secrets.GITHUB_TOKEN }}
allowed_non_write_users: ${{ github.event.pull_request.user.login }}
prompt: |
REPO: ${{ github.repository }}
PR NUMBER: ${{ github.event.pull_request.number }}
Expand All @@ -68,5 +62,5 @@ jobs:
# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
# or https://code.claude.com/docs/en/cli-reference for available options
claude_args: |
--allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"
--allowed-tools "Bash(gh pr comment ${{ github.event.pull_request.number }}:*),Bash(gh pr diff ${{ github.event.pull_request.number }}:*),Bash(gh pr view ${{ github.event.pull_request.number }}:*)"
Copy link
Copy Markdown
Member

@westonpace westonpace Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, restricting comment seems fine. The rest are all read-only and it's a public repo right? Would these be a problem?

That being said I don't really see why it would need to see other PRs or issues. I guess the only case I can think of is when a PR is built for an issue and references back to it (e.g. "closes 5472 see issue for rationale")

Copy link
Copy Markdown
Contributor Author

@esteban esteban Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The risk is that other PRs/comments could be used for prompt injection. For sure this limits the value of Claude Code to a small context of the PR. 🤷🏻‍♂️

--model "claude-opus-4-6"
Loading