|
12 | 12 |
|
13 | 13 | jobs: |
14 | 14 | claude: |
| 15 | + # Only allow trusted actors (OWNER, MEMBER, COLLABORATOR) to trigger Claude with write permissions |
15 | 16 | if: | |
16 | 17 | (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude') && |
17 | | - (github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'COLLABORATOR')) || |
| 18 | + contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association)) || |
18 | 19 | (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude') && |
19 | | - (github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'COLLABORATOR')) || |
| 20 | + contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association)) || |
20 | 21 | (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude') && |
21 | | - (github.event.review.author_association == 'OWNER' || github.event.review.author_association == 'MEMBER' || github.event.review.author_association == 'COLLABORATOR')) || |
22 | | - (github.event_name == 'issues' && |
23 | | - (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) && |
24 | | - (github.event.issue.author_association == 'OWNER' || github.event.issue.author_association == 'MEMBER' || github.event.issue.author_association == 'COLLABORATOR')) |
| 22 | + contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.review.author_association)) || |
| 23 | + (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) && |
| 24 | + contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.issue.author_association)) |
25 | 25 | runs-on: ubuntu-latest |
26 | 26 | permissions: |
27 | | - contents: write |
28 | | - pull-requests: write |
29 | | - issues: write |
| 27 | + contents: write # Allow creating branches/commits |
| 28 | + pull-requests: write # Allow pushing to PR branches |
| 29 | + issues: write # Allow updating issue comments |
30 | 30 | id-token: write |
31 | | - actions: read |
| 31 | + actions: read # Required for Claude to read CI results on PRs |
32 | 32 | steps: |
33 | 33 | - name: Checkout repository |
34 | 34 | uses: actions/checkout@v4 |
35 | 35 | with: |
36 | | - fetch-depth: 0 |
| 36 | + fetch-depth: 0 # Full history for git operations |
37 | 37 |
|
38 | 38 | - name: Run Claude Code |
39 | 39 | id: claude |
40 | 40 | uses: anthropics/claude-code-action@v1 |
41 | 41 | with: |
42 | 42 | claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} |
43 | | - use_api_for_commits: true |
| 43 | + |
| 44 | + # This is an optional setting that allows Claude to read CI results on PRs |
44 | 45 | additional_permissions: | |
45 | 46 | actions: read |
| 47 | +
|
| 48 | + # Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it. |
| 49 | + # prompt: 'Update the pull request description to include a summary of changes.' |
| 50 | + |
| 51 | + # Optional: Add claude_args to customize behavior and configuration |
| 52 | + # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md |
| 53 | + # or https://code.claude.com/docs/en/cli-reference for available options |
| 54 | + # claude_args: '--allowed-tools Bash(gh pr:*)' |
0 commit comments