From ff9acae5886d41a99ed4ec14b7dc147d55834722 Mon Sep 17 00:00:00 2001 From: Octavian Guzu Date: Mon, 23 Mar 2026 12:10:02 +0000 Subject: [PATCH] Auto-set subprocess env scrub when allowed_non_write_users is configured (#1093) * Auto-set CLAUDE_CODE_SUBPROCESS_ENV_SCRUB when allowed_non_write_users is configured Sets the env var automatically whenever allowed_non_write_users is non-empty, so downstream workflows don't need to add it manually. Updates the input description and docs/security.md to note the behavior. :house: Remote-Dev: homespace * Fall back to inherited env when allowed_non_write_users is unset :house: Remote-Dev: homespace * Let workflow/job env override the auto-set scrub flag Env var takes priority so users can opt in/out via CLAUDE_CODE_SUBPROCESS_ENV_SCRUB at job or workflow level independently of allowed_non_write_users. :house: Remote-Dev: homespace --- action.yml | 12 +++++++++++- docs/security.md | 1 + 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 18806ab..9e830cb 100644 --- a/action.yml +++ b/action.yml @@ -32,7 +32,16 @@ inputs: required: false default: "" allowed_non_write_users: - description: "Comma-separated list of usernames to allow without write permissions, or '*' to allow all users. Only works when github_token input is provided. WARNING: Use with extreme caution - this bypasses security checks and should only be used for workflows with very limited permissions (e.g., issue labeling)." + description: | + Comma-separated list of usernames to allow without write permissions, or '*' to allow all users. + Only works when github_token input is provided. WARNING: Use with extreme caution - this + bypasses security checks and should only be used for workflows with very limited permissions + (e.g., issue labeling). + + SECURITY: Processing untrusted content exposes the workflow to prompt injection. When this + input is set, Claude does a best-effort scrub of Anthropic, cloud, and GitHub Actions secrets + from subprocess environments. This reduces but does not eliminate prompt injection risk - + only use for workflows with very limited permissions and validate all outputs. required: false default: "" include_comments_by_actor: @@ -204,6 +213,7 @@ runs: OVERRIDE_GITHUB_TOKEN: ${{ inputs.github_token }} ALLOWED_BOTS: ${{ inputs.allowed_bots }} ALLOWED_NON_WRITE_USERS: ${{ inputs.allowed_non_write_users }} + CLAUDE_CODE_SUBPROCESS_ENV_SCRUB: ${{ env.CLAUDE_CODE_SUBPROCESS_ENV_SCRUB || (inputs.allowed_non_write_users != '' && '1') || '' }} INCLUDE_COMMENTS_BY_ACTOR: ${{ inputs.include_comments_by_actor }} EXCLUDE_COMMENTS_BY_ACTOR: ${{ inputs.exclude_comments_by_actor }} GITHUB_RUN_ID: ${{ github.run_id }} diff --git a/docs/security.md b/docs/security.md index eb3c69a..273a673 100644 --- a/docs/security.md +++ b/docs/security.md @@ -13,6 +13,7 @@ - Accepts either a comma-separated list of specific usernames or `*` to allow all users - **Should be used with extreme caution** as it bypasses the primary security mechanism of this action - Is designed for automation workflows where user permissions are already restricted by the workflow's permission scope + - When set, Claude does a best-effort scrub of Anthropic, cloud, and GitHub Actions secrets from subprocess environments. This reduces but does not eliminate prompt injection risk — keep workflow permissions minimal and validate all outputs. Set `CLAUDE_CODE_SUBPROCESS_ENV_SCRUB: 0` in your workflow or job `env:` block to opt out. - **Token Permissions**: The GitHub app receives only a short-lived token scoped specifically to the repository it's operating in - **No Cross-Repository Access**: Each action invocation is limited to the repository where it was triggered - **Limited Scope**: The token cannot access other repositories or perform actions beyond the configured permissions