Conversation
💡 Codex Reviewclosedloop-electron/.github/workflows/claude-code-review.yml Lines 6 to 7 in 272727f  Avoid checking out PR code under pull_request_target
When a Dependabot PR is opened, this new ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
| on: | ||
| pull_request: | ||
| types: [opened] | ||
| pull_request_target: |
There was a problem hiding this comment.
ensure this does not cause a double review
mikeangstadt
left a comment
mikeangstadt
left a comment
There was a problem hiding this comment.
Code Review — Fork Security & Manual Triggers
2 Blocking, 1 High — see inline comments.
Key Issues
- BLOCKING: Fork PRs fail hard at token generation (secrets are empty) — need graceful skip
- BLOCKING:
workflow_dispatchhas no PR number input — manual reviews can't target a PR - HIGH:
claude.ymlhas no actor protection — any GitHub user can@claudeto burn API credits
Note: pull_request event runs the fork's copy of the workflow, so if conditions there aren't a security boundary. The real protection is GitHub's secrets withholding for fork PRs. Findings focus on graceful failure and base-branch-enforced controls only.
| name: Claude Code Review | ||
|
|
||
| on: | ||
| pull_request: |
There was a problem hiding this comment.
BLOCKING — Fork PRs fail hard instead of skipping gracefully.
pull_request fires for fork PRs. Secrets are (correctly) withheld by GitHub, so there's no security leak. But the job still runs and fails at the create-github-app-token step because secrets.CLOSEDLOOP_APP_ID_STAGE is empty. This creates a red X check on every fork PR.
If branch protection requires this check to pass, fork PRs become unmergeable. Even without branch protection, it's confusing UX.
Fix — graceful skip for forks:
# In the job if condition, add a fork guard to the pull_request branch:
(github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository)Fork PRs would then skip this job entirely (green skip, not red failure). Fork reviews would only happen via workflow_dispatch by a collaborator.
| types: [opened] | ||
| pull_request_target: | ||
| types: [opened] | ||
| workflow_dispatch: |
There was a problem hiding this comment.
BLOCKING — Manual triggers can't target a specific PR.
workflow_dispatch passes the if condition, but there are no inputs:. When manually triggered:
github.event.pull_requestis empty → checkout falls back togithub.ref(default branch)- The Claude prompt becomes
/code-review:start --githubwith no PR number - Summary posting skips (
PR_NUMBERis empty)
Fix:
workflow_dispatch:
inputs:
pr_number:
description: 'PR number to review'
required: true
type: numberThen update the checkout ref and prompt to use github.event.inputs.pr_number when event_name == 'workflow_dispatch'. Resolve the PR's head SHA via gh pr view in a setup step.
| types: [submitted] | ||
|
|
||
| jobs: | ||
| claude: |
There was a problem hiding this comment.
HIGH — No actor protection. Any GitHub user can burn API credits via @claude.
issue_comment runs from the base branch with secrets — fork authors can't modify this workflow. But any GitHub user can comment @claude on any issue/PR and trigger Claude Code using the org's CLAUDE_CODE_OAUTH_TOKEN.
Fix — restrict to collaborators:
if: |
(
github.event_name == 'issue_comment' &&
contains(github.event.comment.body, '@claude') &&
contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
) || ...author_association is on the event payload — no API call needed. This ensures only repo collaborators can invoke @claude.
|
@peterulsteen let's copy this pattern once we get this landed to claude-plugins and the new repo. |
3 participants
No description provided.