actions/claude-code-action
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: pin bun runtime config and improve log hygiene (#1174)

Browse Source 
* fix: pin bun runtime config and improve log hygiene

* snapshot all SENSITIVE_PATHS to .claude-pr/, not just .claude/
This commit is contained in:
Ashwin Bhat 2026-04-05 07:42:02 -07:00 committed by GitHub
parent 3534c326a5
commit 6e2bd52842
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 29 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
action.yml
View File

@ -227,7 +227,10 @@ runs:
id: run id: run
shell: bash shell: bash
run: | run: |
bun run ${GITHUB_ACTION_PATH}/src/entrypoints/run.ts bun --no-env-file \
--config="${GITHUB_ACTION_PATH}/bunfig.toml" \
--tsconfig-override="${GITHUB_ACTION_PATH}/tsconfig.json" \
run ${GITHUB_ACTION_PATH}/src/entrypoints/run.ts
env: env:
# Prepare inputs # Prepare inputs
MODE: ${{ inputs.mode }} MODE: ${{ inputs.mode }}
@ -324,7 +327,10 @@ runs:
if: always() && inputs.ssh_signing_key != '' if: always() && inputs.ssh_signing_key != ''
shell: bash shell: bash
run: | run: |
bun run ${GITHUB_ACTION_PATH}/src/entrypoints/cleanup-ssh-signing.ts bun --no-env-file \
--config="${GITHUB_ACTION_PATH}/bunfig.toml" \
--tsconfig-override="${GITHUB_ACTION_PATH}/tsconfig.json" \
run ${GITHUB_ACTION_PATH}/src/entrypoints/cleanup-ssh-signing.ts
- name: Post buffered inline comments - name: Post buffered inline comments
if: always() && inputs.classify_inline_comments != 'false' if: always() && inputs.classify_inline_comments != 'false'
@ -336,7 +342,10 @@ runs:
PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
ANTHROPIC_API_KEY: ${{ inputs.anthropic_api_key }} ANTHROPIC_API_KEY: ${{ inputs.anthropic_api_key }}
run: | run: |
bun run ${GITHUB_ACTION_PATH}/src/entrypoints/post-buffered-inline-comments.ts bun --no-env-file \
--config="${GITHUB_ACTION_PATH}/bunfig.toml" \
--tsconfig-override="${GITHUB_ACTION_PATH}/tsconfig.json" \
run ${GITHUB_ACTION_PATH}/src/entrypoints/post-buffered-inline-comments.ts
- name: Revoke app token - name: Revoke app token
if: always() && inputs.github_token == '' && steps.run.outputs.github_token != '' && steps.run.outputs.skipped_due_to_workflow_validation_mismatch != 'true' if: always() && inputs.github_token == '' && steps.run.outputs.github_token != '' && steps.run.outputs.skipped_due_to_workflow_validation_mismatch != 'true'

2
base-action/src/run-claude-sdk.ts
View File

@ -151,7 +151,7 @@ export async function runClaudeWithSdk(
console.log(`Running Claude with prompt from file: ${promptPath}`); console.log(`Running Claude with prompt from file: ${promptPath}`);
// Log SDK options without env (which could contain sensitive data) // Log SDK options without env (which could contain sensitive data)
const { env, ...optionsToLog } = sdkOptions; const { env, extraArgs, ...optionsToLog } = sdkOptions;
console.log("SDK options:", JSON.stringify(optionsToLog, null, 2)); console.log("SDK options:", JSON.stringify(optionsToLog, null, 2));
const messages: SDKMessage[] = []; const messages: SDKMessage[] = [];

2
bunfig.toml Normal file
View File

@ -0,0 +1,2 @@
# Intentionally minimal. action.yml pins --config to this file so bun resolves
# its runtime config from the action directory rather than the workspace.

20
src/github/operations/restore-config.ts
View File

@ -15,6 +15,9 @@ const SENSITIVE_PATHS = [
".claude.json", ".claude.json",
".gitmodules", ".gitmodules",
".ripgreprc", ".ripgreprc",
"CLAUDE.md",
"CLAUDE.local.md",
".husky",
]; ];
/** /**
@ -44,16 +47,19 @@ export function restoreConfigFromBase(baseBranch: string): void {
`Restoring ${SENSITIVE_PATHS.join(", ")} from origin/${baseBranch} (PR head is untrusted)`, `Restoring ${SENSITIVE_PATHS.join(", ")} from origin/${baseBranch} (PR head is untrusted)`,
); );
// Snapshot the PR's .claude/ tree to .claude-pr/ before deleting it. // Snapshot every PR-authored sensitive path into .claude-pr/ before deletion
// This lets review agents inspect what the PR actually changes (CLAUDE.md, // so review agents can inspect what the PR changes without those files ever
// settings, hooks, MCP configs) without those files ever being executed. // being executed. Captured before the security delete so it reflects the
// The snapshot is taken before the security delete so it captures the
// PR-authored version. // PR-authored version.
rmSync(".claude-pr", { recursive: true, force: true }); rmSync(".claude-pr", { recursive: true, force: true });
if (existsSync(".claude")) { for (const p of SENSITIVE_PATHS) {
cpSync(".claude", ".claude-pr", { recursive: true }); if (existsSync(p)) {
cpSync(p, `.claude-pr/${p}`, { recursive: true });
}
}
if (existsSync(".claude-pr")) {
console.log( console.log(
"Preserved PR's .claude/ → .claude-pr/ for review agents (not executed)", "Preserved PR's sensitive paths → .claude-pr/ for review agents (not executed)",
); );
} }

1
src/github/token.ts
View File

@ -148,6 +148,7 @@ export async function setupGitHubToken(): Promise<string> {
}, },
); );
console.log("App token successfully obtained"); console.log("App token successfully obtained");
core.setSecret(appToken);
console.log("Using GITHUB_TOKEN from OIDC"); console.log("Using GITHUB_TOKEN from OIDC");
return appToken; return appToken;