|
12 | 12 |
|
13 | 13 | jobs: |
14 | 14 | claude: |
| 15 | + # Only allow trusted actors (OWNER, MEMBER, COLLABORATOR) to trigger Claude with write permissions |
15 | 16 | if: | |
16 | | - (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || |
17 | | - (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || |
18 | | - (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || |
19 | | - (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) |
| 17 | + (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude') && |
| 18 | + contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association)) || |
| 19 | + (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude') && |
| 20 | + contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association)) || |
| 21 | + (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude') && |
| 22 | + contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.review.author_association)) || |
| 23 | + (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) && |
| 24 | + contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.issue.author_association)) |
20 | 25 | runs-on: ubuntu-latest |
21 | 26 | permissions: |
22 | 27 | contents: write # Allow creating branches/commits |
|
47 | 52 | # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md |
48 | 53 | # or https://docs.claude.com/en/docs/claude-code/cli-reference for available options |
49 | 54 | # claude_args: '--allowed-tools Bash(gh pr:*)' |
50 | | - |
|
0 commit comments