ci: update Claude review workflows to Opus 4.6#73
Conversation
ian-flores
changed the title
statik
left a comment
statik
left a comment
There was a problem hiding this comment.
looks good! requesting some additional security
.github/workflows/claude.yml
Outdated
| jobs: | ||
| claude-code-action: | ||
| if: | | ||
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || |
There was a problem hiding this comment.
could you extend the guards on this to only allow being invoked by maintainers or org members? this is a copy paste answer from google when I searched how to limit this
jobs:
comment-job:
if: github.actor == 'repo-maintainer' || contains(github.event.issue.author_association, 'COLLABORATOR')
runs-on: ubuntu-latest
steps:
- run: echo "Only maintained by authorized users"
There was a problem hiding this comment.
Added author_association checks to each event path in the if condition. Only OWNER, MEMBER, and COLLABORATOR can now trigger the workflow — external contributors and first-time commenters are silently ignored. Used the fromJSON + contains pattern to check against the allowed list.
|
@ian-flores I love the author_association approach. I noticed https://github.blog/changelog/2025-08-08-upcoming-changes-to-github-events-api-payloads/ says the author association was being removed from issue comment and pr comment payloads last year. I wonder if there is another way to get this info? |
author_association may be removed from GitHub event payloads. Use the repo collaborators permission API instead to verify the actor has write or admin access before running.
|
Replaced |
|
It worked @statik! Thanks for the reviews 🤝 https://github.com/posit-dev/team-operator/actions/runs/21873081709 |
2 participants
Summary
claude-auto-review.ymlfromus.anthropic.claude-opus-4-5-20251101-v1:0tous.anthropic.claude-opus-4-6-v1claude.ymlPR assistant workflow (responds to@claudementions in PRs/issues)Test plan
@claudementions work in PR comments