Standardize Claude GitHub Action workflow#43
Conversation
Adds (or replaces) .github/workflows/claude.yaml with the canonical workflow from chriscalo/dev-skills:skills/github/claude-action-workflow.yaml. Tool policy: --allowedTools "Read,Grep,Glob,Edit,Write,Skill,Task,Agent,Bash(*),WebFetch,WebSearch" with a targeted --disallowedTools list (force-push, push-to-main, branch/repo/ release delete, mutating gh api, npm publish, gh secret/auth ops). See chriscalo/dev-skills:skills/github/claude-action.md section 'Tool policy' for rationale.
There was a problem hiding this comment.
Pull request overview
This PR replaces/updates .github/workflows/claude.yaml to match a canonical “Claude” GitHub Action workflow, aiming to standardize event handling, editor-only gating, and the agent tool policy.
Changes:
- Splits the workflow into a
gatejob (editor permission check) and aclaudejob that only runs when the actor is confirmed to be an editor. - Adds an
upload-imagehelper installation step intended to enable embedding images in GitHub markdown via an R2-backed upload. - Expands the Claude tool policy (
--allowedTools/--disallowedTools) to include additional tool categories and tighter git-push restrictions.
Comments suppressed due to low confidence (1)
.github/workflows/claude.yaml:56
- The
gh apipermission check treats any API error asperm=none(2>/dev/null || echo "none"), which can silently disable the workflow for everyone ifgithub.tokenlacks the permissions required byrepos/.../collaborators/<user>/permission(or if the API call fails for transient reasons). It would be safer to (1) explicitly declare the minimalpermissions:needed for thisgatejob, and (2) distinguish "not a collaborator" from "API/auth failure" so misconfiguration doesn’t look like a normal skip.
run: |
actor="${{ github.actor }}"
perm=$(gh api \
"repos/${{ github.repository }}/collaborators/$actor/permission" \
--jq '.permission' 2>/dev/null || echo "none")
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| creds_file="$RUNNER_TEMP/.upload-image-creds" | ||
| if [ -n "${R2_ACCOUNT_ID:-}" ] \ | ||
| && [ -n "${R2_ACCESS_KEY_ID:-}" ] \ | ||
| && [ -n "${R2_SECRET_ACCESS_KEY:-}" ]; then | ||
| umask 077 |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 6cee6d589d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| printf 'AWS_ACCESS_KEY_ID=%q\n' "$R2_ACCESS_KEY_ID" | ||
| printf 'AWS_SECRET_ACCESS_KEY=%q\n' "$R2_SECRET_ACCESS_KEY" | ||
| printf 'AWS_DEFAULT_REGION=auto\n' | ||
| printf 'R2_ACCOUNT_ID=%q\n' "$R2_ACCOUNT_ID" | ||
| } > "$creds_file" |
There was a problem hiding this comment.
This step writes long-lived R2 credentials to $RUNNER_TEMP/.upload-image-creds and later runs anthropics/claude-code-action in the same job, where Claude is allowed to execute arbitrary Bash(*). File mode 600 does not protect against this because subsequent steps run as the same runner user, so a prompt-injected run can still cat the creds file and exfiltrate cloud keys in comments/logs. This is a new secret-exposure path introduced by the helper and should be removed or isolated from the Claude execution context.
Useful? React with 👍 / 👎.
Adds (or replaces)
.github/workflows/claude.yamlwith thecanonical workflow from
chriscalo/dev-skills.
Tool policy:
--allowedTools "Read,Grep,Glob,Edit,Write,Skill,Task,Agent,Bash(*),WebFetch,WebSearch"with a targeted
--disallowedToolslist. Seeclaude-action.md "Tool policy"
for rationale.
Future drift can be detected via
sync-claude-action.sh audit OWNER/REPO.