You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs: warn that allowed_bots can expose the action to external triggers
allowed_bots does not verify that a matching bot is installed on the
repository or has write access. On a public repo, external GitHub Apps
may be able to trigger workflow events (issues, comments, PR reviews).
If the workflow listens on those events and allowed_bots is '*', an
external App can invoke this action with a prompt it controls.
Default config (allowed_bots: "") is unaffected.
- docs/security.md: add warning and mitigation guidance
- docs/usage.md: add inline warning to the allowed_bots input row
- action.yml: add warning to the allowed_bots input description
:house: Remote-Dev: homespace
Copy file name to clipboardExpand all lines: action.yml
+1-1Lines changed: 1 addition & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -28,7 +28,7 @@ inputs:
28
28
required: false
29
29
default: ""
30
30
allowed_bots:
31
-
description: "Comma-separated list of allowed bot usernames, or '*' to allow all bots. Empty string (default) allows no bots."
31
+
description: "Comma-separated list of allowed bot usernames, or '*' to allow all bots. Empty string (default) allows no bots. WARNING: On public repos with '*', external Apps may be able to invoke this action with prompts they control. See docs/security.md."
Copy file name to clipboardExpand all lines: docs/security.md
+4-2Lines changed: 4 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,6 +4,10 @@
4
4
5
5
-**Repository Access**: The action can only be triggered by users with write access to the repository
6
6
-**Bot User Control**: By default, GitHub Apps and bots cannot trigger this action for security reasons. Use the `allowed_bots` parameter to enable specific bots or all bots
7
+
-**⚠️ Allowed bots are not checked for repository permissions.** A bot that matches an entry does **not** need to be installed on your repository or have write access. On a **public repository**, external parties — including GitHub Apps created by anyone — may be able to trigger workflow events such as opening issues, commenting, or reviewing pull requests. If your workflow listens on those events and `allowed_bots` is set to `'*'`, any such App can invoke this action with a prompt it controls.
8
+
- Prefer an explicit list over `'*'`
9
+
- Only list App names you trust
10
+
- If you need `'*'`, scope workflow `permissions:` to the minimum required
7
11
-**⚠️ Non-Write User Access (RISKY)**: The `allowed_non_write_users` parameter allows bypassing the write permission requirement. **This is a significant security risk and should only be used for workflows with extremely limited permissions** (e.g., issue labeling workflows that only have `issues: write` permission). This feature:
8
12
- Only works when `github_token` is provided as input (not with GitHub App authentication)
9
13
- Accepts either a comma-separated list of specific usernames or `*` to allow all users
@@ -85,14 +89,12 @@ Commits will show as verified and attributed to the GitHub account that owns the
85
89
```
86
90
87
91
2. Add the **public key** to your GitHub account:
88
-
89
92
- Go to GitHub → Settings → SSH and GPG keys
90
93
- Click "New SSH key"
91
94
- Select **Key type: Signing Key** (important)
92
95
- Paste the contents of `~/.ssh/signing_key.pub`
93
96
94
97
3. Add the **private key** to your repository secrets:
95
-
96
98
- Go to your repo → Settings → Secrets and variables → Actions
|`anthropic_api_key`| Anthropic API key (required for direct API, not needed for Bedrock/Vertex) | No\*| - |
58
-
|`claude_code_oauth_token`| Claude Code OAuth token (alternative to anthropic_api_key) | No\*| - |
59
-
|`prompt`| Instructions for Claude. Can be a direct prompt or custom template for automation workflows | No | - |
60
-
|`track_progress`| Force tag mode with tracking comments. Only works with specific PR/issue events. Preserves GitHub context | No |`false`|
61
-
|`include_fix_links`| Include 'Fix this' links in PR code review feedback that open Claude Code with context to fix the identified issue | No |`true`|
62
-
|`claude_args`| Additional [arguments to pass directly to Claude CLI](https://docs.claude.com/en/docs/claude-code/cli-reference#cli-flags) (e.g., `--max-turns 10 --model claude-4-0-sonnet-20250805`) | No | "" |
63
-
|`base_branch`| The base branch to use for creating new branches (e.g., 'main', 'develop') | No | - |
64
-
|`use_sticky_comment`| Use just one comment to deliver PR comments (only applies for pull_request event workflows) | No |`false`|
65
-
|`github_token`| GitHub token for Claude to operate with. **Only include this if you're connecting a custom GitHub app of your own!**| No | - |
66
-
|`use_bedrock`| Use Amazon Bedrock with OIDC authentication instead of direct Anthropic API | No |`false`|
67
-
|`use_vertex`| Use Google Vertex AI with OIDC authentication instead of direct Anthropic API | No |`false`|
68
-
|`assignee_trigger`| The assignee username that triggers the action (e.g. @claude). Only used for issue assignment | No | - |
69
-
|`label_trigger`| The label name that triggers the action when applied to an issue (e.g. "claude") | No | - |
70
-
|`trigger_phrase`| The trigger phrase to look for in comments, issue/PR bodies, and issue titles | No |`@claude`|
71
-
|`branch_prefix`| The prefix to use for Claude branches (defaults to 'claude/', use 'claude-' for dash format) | No |`claude/`|
72
-
|`settings`| Claude Code settings as JSON string or path to settings JSON file | No | "" |
73
-
|`additional_permissions`| Additional permissions to enable. Currently supports 'actions: read' for viewing workflow results | No | "" |
74
-
|`use_commit_signing`| Enable commit signing using GitHub's API. Simple but cannot perform complex git operations like rebasing. See [Security](./security.md#commit-signing)| No |`false`|
75
-
|`ssh_signing_key`| SSH private key for signing commits. Enables signed commits with full git CLI support (rebasing, etc.). See [Security](./security.md#commit-signing)| No | "" |
76
-
|`bot_id`| GitHub user ID to use for git operations (defaults to Claude's bot ID). Required with `ssh_signing_key` for verified commits | No |`41898282`|
77
-
|`bot_name`| GitHub username to use for git operations (defaults to Claude's bot name). Required with `ssh_signing_key` for verified commits | No |`claude[bot]`|
78
-
|`allowed_bots`| Comma-separated list of allowed bot usernames, or '\*' to allow all bots. Empty string (default) allows no bots| No | "" |
79
-
|`allowed_non_write_users`|**⚠️ RISKY**: Comma-separated list of usernames to allow without write permissions, or '\*' for all users. Only works with `github_token` input. See [Security](./security.md)| No | "" |
80
-
|`path_to_claude_code_executable`| Optional path to a custom Claude Code executable. Skips automatic installation. Useful for Nix, custom containers, or specialized environments | No | "" |
81
-
|`path_to_bun_executable`| Optional path to a custom Bun executable. Skips automatic Bun installation. Useful for Nix, custom containers, or specialized environments | No | "" |
82
-
|`plugin_marketplaces`| Newline-separated list of Claude Code plugin marketplace Git URLs to install from (e.g., see example in workflow above). Marketplaces are added before plugin installation | No | "" |
83
-
|`plugins`| Newline-separated list of Claude Code plugin names to install (e.g., see example in workflow above). Plugins are installed before Claude Code execution | No | "" |
|`anthropic_api_key`| Anthropic API key (required for direct API, not needed for Bedrock/Vertex) | No\*| - |
58
+
|`claude_code_oauth_token`| Claude Code OAuth token (alternative to anthropic_api_key) | No\*| - |
59
+
|`prompt`| Instructions for Claude. Can be a direct prompt or custom template for automation workflows | No | - |
60
+
|`track_progress`| Force tag mode with tracking comments. Only works with specific PR/issue events. Preserves GitHub context | No |`false`|
61
+
|`include_fix_links`| Include 'Fix this' links in PR code review feedback that open Claude Code with context to fix the identified issue | No |`true`|
62
+
|`claude_args`| Additional [arguments to pass directly to Claude CLI](https://docs.claude.com/en/docs/claude-code/cli-reference#cli-flags) (e.g., `--max-turns 10 --model claude-4-0-sonnet-20250805`) | No | "" |
63
+
|`base_branch`| The base branch to use for creating new branches (e.g., 'main', 'develop') | No | - |
64
+
|`use_sticky_comment`| Use just one comment to deliver PR comments (only applies for pull_request event workflows) | No |`false`|
65
+
|`github_token`| GitHub token for Claude to operate with. **Only include this if you're connecting a custom GitHub app of your own!**| No | - |
66
+
|`use_bedrock`| Use Amazon Bedrock with OIDC authentication instead of direct Anthropic API | No |`false`|
67
+
|`use_vertex`| Use Google Vertex AI with OIDC authentication instead of direct Anthropic API | No |`false`|
68
+
|`assignee_trigger`| The assignee username that triggers the action (e.g. @claude). Only used for issue assignment | No | - |
69
+
|`label_trigger`| The label name that triggers the action when applied to an issue (e.g. "claude") | No | - |
70
+
|`trigger_phrase`| The trigger phrase to look for in comments, issue/PR bodies, and issue titles | No |`@claude`|
71
+
|`branch_prefix`| The prefix to use for Claude branches (defaults to 'claude/', use 'claude-' for dash format) | No |`claude/`|
72
+
|`settings`| Claude Code settings as JSON string or path to settings JSON file | No | "" |
73
+
|`additional_permissions`| Additional permissions to enable. Currently supports 'actions: read' for viewing workflow results | No | "" |
74
+
|`use_commit_signing`| Enable commit signing using GitHub's API. Simple but cannot perform complex git operations like rebasing. See [Security](./security.md#commit-signing)| No |`false`|
75
+
|`ssh_signing_key`| SSH private key for signing commits. Enables signed commits with full git CLI support (rebasing, etc.). See [Security](./security.md#commit-signing)| No | "" |
76
+
|`bot_id`| GitHub user ID to use for git operations (defaults to Claude's bot ID). Required with `ssh_signing_key` for verified commits | No |`41898282`|
77
+
|`bot_name`| GitHub username to use for git operations (defaults to Claude's bot name). Required with `ssh_signing_key` for verified commits | No |`claude[bot]`|
78
+
|`allowed_bots`| Comma-separated list of allowed bot usernames, or '\*' to allow all bots. Empty string (default) allows no bots. **⚠️ On public repos with `'*'`, external Apps may be able to invoke this action.** See [Security](./security.md)| No | "" |
79
+
|`allowed_non_write_users`|**⚠️ RISKY**: Comma-separated list of usernames to allow without write permissions, or '\*' for all users. Only works with `github_token` input. See [Security](./security.md)| No | "" |
80
+
|`path_to_claude_code_executable`| Optional path to a custom Claude Code executable. Skips automatic installation. Useful for Nix, custom containers, or specialized environments | No | "" |
81
+
|`path_to_bun_executable`| Optional path to a custom Bun executable. Skips automatic Bun installation. Useful for Nix, custom containers, or specialized environments | No | "" |
82
+
|`plugin_marketplaces`| Newline-separated list of Claude Code plugin marketplace Git URLs to install from (e.g., see example in workflow above). Marketplaces are added before plugin installation | No | "" |
83
+
|`plugins`| Newline-separated list of Claude Code plugin names to install (e.g., see example in workflow above). Plugins are installed before Claude Code execution | No | "" |
0 commit comments