feat: label-gated issue-to-PR workflow with injection hardening#693
Merged
Lightheartdevs merged 5 commits intoLight-Heart-Labs:mainfrom Apr 2, 2026
Merged
Conversation
6 tasks
4 tasks
Lightheartdevs
requested changes
Apr 1, 2026
Collaborator
Lightheartdevs
left a comment
Lightheartdevs
left a comment
There was a problem hiding this comment.
Audit Review
Best injection hardening of the three AI workflow PRs. The 4-job pipeline (validate -> implement -> guardrails -> create-pr) is well-designed.
Required: Pin @anthropic-ai/claude-code version
npx -y @anthropic-ai/claude-code in the implement job has no version specifier. Same supply chain risk as #692 — a compromised npm package gets arbitrary code execution with ANTHROPIC_API_KEY.
Fix: Pin to a specific version, e.g., npx -y @anthropic-ai/claude-code@0.2.72
Medium: Replace Bash(cat/head/tail/find *) with Read tool
The --allowedTools list includes Bash(cat *), Bash(head *), Bash(tail *), Bash(find *). While GITHUB_TOKEN is not in Claude's env (good isolation), these can still read files on the runner filesystem. Claude Code has a dedicated Read tool that's safer — replace the Bash file-reading tools with it.
Required: Remove gpu.py change
Same fix present in #691 and #692. PR #715 already merged this. Remove to avoid conflicts.
Good — injection defense is solid
- Anti-injection preamble before issue body
- Issue body truncated to 4000 chars
- GITHUB_TOKEN NOT in Claude's env — only ANTHROPIC_API_KEY and issue metadata
ghCLI not in --allowedTools — Claude can't use GitHub API- Guardrails job: protected file revert, secret scanning (API keys, AWS keys, GitHub tokens, passwords), 1000-line diff size gate, Python/Shell syntax validation
- Output always draft PR +
needs-human-review+ai-generatedlabels - Duplicate PR detection before starting
- All actions SHA-pinned
- GITHUB_TOKEN for PR creation (no recursion)
- Label-gated — only maintainers can trigger via
ai-implementlabel - 4000-char truncation on issue body
- --max-turns 15 cap
Tony363
force-pushed
the
feat/ai-issue-to-pr
branch
from
6a75443 to
51c3fe5
Compare
Add AI-powered issue-to-PR workflow that reads GitHub issues, implements code changes via Claude, and creates draft PRs for review. Security hardening per review feedback: - Label-gated: only triggers when 'ai-implement' label is applied by a maintainer — prevents arbitrary users from triggering Claude - Input sanitization: issue body truncated to 4000 chars with anti-injection instructions in the prompt - All actions pinned to commit SHA - GITHUB_TOKEN used for PR creation (no PAT_TOKEN) - Secret validation uses env-block pattern - Guardrails: protected file reverts, secret scanning, diff size gate, Python and shell syntax validation Estimated cost: $5-15 per issue. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Pin @anthropic-ai/claude-code to v2.1.89 (supply chain hardening) - Remove gpu.py cherry-pick (merged via PR Light-Heart-Labs#715) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Tony363
force-pushed
the
feat/ai-issue-to-pr
branch
from
51c3fe5 to
0df0778
Compare
Replace Bash(cat *), Bash(head *), Bash(tail *), Bash(find *) with the dedicated Read/Glob tools which are already in the allowedTools list. Reduces runner filesystem exposure surface. Addresses review: PR Light-Heart-Labs#693 pullrequestreview-4047305668 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
… env vars
- Add git apply --check before applying patches (both guardrails and create-pr jobs)
- Expand secret scanning regex to detect GitLab PATs, GitHub OAuth tokens, and PEM private keys
- Move ${{ }} expressions in failure-reason step to env vars for shell safety
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds an AI-powered issue-to-PR workflow (split from #683, PR C per review feedback):
When a maintainer applies the
ai-implementlabel to an issue, Claude reads the issue, implements code changes, runs guardrails, and creates a draft PR.Security hardening (critical review items from #683)
ai-implementlabel — only maintainers can applySetup
Only one secret needed:
ANTHROPIC_API_KEYCreate the
ai-implementlabel in your repo before using.Cost estimate
$5-15 per issue.
Depends on
Test plan
labeledevent withai-implement🤖 Generated with Claude Code