Conversation
.github/workflows/pull-request.yml
Outdated
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
| id-token: write |
There was a problem hiding this comment.
why does claude need id-token: write? what is it accessing?
There was a problem hiding this comment.
id-token: write lets the workflow request a JWT that proves "I am this workflow, in this repo." The action sends this JWT to Anthropic, which validates it and returns a GitHub App installation token for the Claude App installed in our org. The returned token has the full permissions of the installed Claude App: read/write access to contents, issues, and pull requests.
This is the authentication method that official Claude Code examples use. The alternative is passing the workflow's built-in github.token that is scoped by the permissions block. This requires no App and no id-token: write, but comments post as github-actions[bot] and sticky matching breaks. anthropics/claude-code-action#960.
.github/workflows/pull-request.yml
Outdated
| anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} | ||
| prompt: "/review" | ||
| # Pre-loads full PR context (description, diff, comments) into the prompt. Also shows a progress tracker. | ||
| track_progress: true |
There was a problem hiding this comment.
i don't see this option listed in the docs you linked, but i did find a github issue noting that this option is a security risk, as it appears to give claude full write access.
There was a problem hiding this comment.
It's listed in https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md. I put this link in code for future reference.
After doing more investigation, I found an include_comments_by_actor parameter that prevents Claude from reading untrusted comments, which secures against prompt injection. Without the ability to affect the main branch, I believe Claude having write access is not an issue. I've documented this at the top of the file.
| # 3. Production deployments are protected: | ||
| # - [x] main branch protection requires PR approval | ||
| # - [x] Claude can't merge or approve PRs; allowedTools does not include `gh pr merge` or `gh pr review` | ||
| # - [x] Claude's commits can't be merged; main require signed commits, and use_commit_signing is disabled |
There was a problem hiding this comment.
It feels unlikely to me that Claude would push to the dev branch, and the impact is probably limited, but we could prevent this from happening by requiring verified commits on dev.
2 participants
Goal
HNT-1732 Claude Code automatically reviews PRs, and re-reviews as new commits are pushed. This does not replace the need to review all generated code before it is committed, and having a second engineer review it as well.
Deployment steps
References
JIRA ticket: HNT-1732
Docs: