feat: anthropic setup#27
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
Adds a GitHub Actions workflow to run the Anthropic Claude Code action in response to @claude mentions on issues and issue comments, enabling automated assistance directly from GitHub events.
Changes:
- Introduces
.github/workflows/claude.ymlworkflow triggered on issue creation/assignment and new comments containing@claude. - Runs
anthropics/claude-code-actionwith an API key fromsecrets.ANTHROPIC_TOKEN.
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'issues' && contains(github.event.issue.body, '@claude')) |
There was a problem hiding this comment.
The workflow can be triggered by any user who opens an issue or comments with @claude. For issues/issue_comment events, secrets are available to the workflow in the base repo context, which makes this a privilege-escalation risk (untrusted users can trigger runs that have access to secrets.ANTHROPIC_TOKEN). Add an allowlist check (e.g., author_association in OWNER/MEMBER/COLLABORATOR) and/or restrict to trusted actors before running the job.
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'issues' && contains(github.event.issue.body, '@claude')) | |
| ( | |
| github.event_name == 'issue_comment' && | |
| contains(github.event.comment.body, '@claude') && | |
| ( | |
| github.event.comment.author_association == 'OWNER' || | |
| github.event.comment.author_association == 'MEMBER' || | |
| github.event.comment.author_association == 'COLLABORATOR' | |
| ) | |
| ) || ( | |
| github.event_name == 'issues' && | |
| contains(github.event.issue.body, '@claude') && | |
| ( | |
| github.event.issue.author_association == 'OWNER' || | |
| github.event.issue.author_association == 'MEMBER' || | |
| github.event.issue.author_association == 'COLLABORATOR' | |
| ) | |
| ) |
| (github.event_name == 'issues' && contains(github.event.issue.body, '@claude')) | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write |
There was a problem hiding this comment.
Job permissions are very broad (contents: write, issues: write). If Claude only needs to comment on PRs/issues, prefer least-privilege permissions (e.g., contents: read and only the specific write scopes needed). Keeping contents: write enables pushing commits/tags if this workflow is ever abused.
| contents: write | |
| contents: read |
| fetch-depth: 1 | ||
|
|
||
| - name: Run Claude Code | ||
| uses: anthropics/claude-code-action@28f83620103c48a57093dcc2837eec89e036bb9f |
There was a problem hiding this comment.
anthropics/claude-code-action@beta is a moving ref and can change without notice. For supply-chain safety and reproducible runs, pin this to an immutable commit SHA or at least a stable, versioned release tag.
| uses: anthropics/claude-code-action@28f83620103c48a57093dcc2837eec89e036bb9f | |
| uses: anthropics/claude-code-action@v1 |
Coverage Report
File CoverageNo changed files found. |
|
No description provided.