9ddce40de8
* Restore .claude/ and .mcp.json from PR base branch before CLI runs
The CLI's non-interactive mode trusts cwd: it reads .mcp.json and
.claude/settings{,.local}.json from the working directory and acts on
them before any tool-permission gating — executing hooks, setting env
vars (NODE_OPTIONS, LD_PRELOAD), running apiKeyHelper shell commands,
and auto-approving MCP servers. When this action checks out a PR head,
these files are attacker-controlled.
Rather than enumerate dangerous keys, replace the entire .claude/ tree
and .mcp.json with the versions from the PR base branch (which a
maintainer has reviewed). Paths absent on base are deleted. Uses local
git state, so no TOCTOU against the GitHub API.
* Read PR base ref from payload for config restore in agent mode
Agent mode's branchInfo.baseBranch defaults to "main" (or env/input
override) instead of the PR's actual target branch — it doesn't query
prData.baseRefName like tag mode does. This meant a PR targeting
develop would get .claude/ restored from main.
Fix by reading pull_request.base.ref directly from the webhook payload
for pull_request, pull_request_review, and pull_request_review_comment
events. For issue_comment on a PR (no base.ref in payload), fall back
to the mode-provided value — tag mode's value is correct (from GraphQL);
agent mode on issue_comment is an edge case that at worst restores from
the wrong trusted branch, which is still secure.
The payload value passes through validateBranchName for defense-in-depth
(GitHub enforces valid branch names server-side, but we validate anyway).
* Extend restored paths to .gitmodules, .ripgreprc, .claude.json
.gitmodules defines submodule URLs and paths; path-confusion attacks
against git submodule operations can write into .git/hooks. .ripgreprc
can set --pre (arbitrary command on each file) if RIPGREP_CONFIG_PATH
points at it. .claude.json is cheap defense-in-depth.
Documented why .git/ is excluded (not trackable in commits, and
restoring it would undo the PR checkout), along with .gitconfig
(git never reads it from cwd) and shell rc files (sourced from $HOME,
not cwd — checkout cannot reach $HOME).
Claude Code Action
A general-purpose Claude Code action for GitHub PRs and issues that can answer questions and implement code changes. This action intelligently detects when to activate based on your workflow context—whether responding to @claude mentions, issue assignments, or executing automation tasks with explicit prompts. It supports multiple authentication methods including Anthropic direct API, Amazon Bedrock, Google Vertex AI, and Microsoft Foundry.
Features
- 🎯 Intelligent Mode Detection: Automatically selects the appropriate execution mode based on your workflow context—no configuration needed
- 🤖 Interactive Code Assistant: Claude can answer questions about code, architecture, and programming
- 🔍 Code Review: Analyzes PR changes and suggests improvements
- ✨ Code Implementation: Can implement simple fixes, refactoring, and even new features
- 💬 PR/Issue Integration: Works seamlessly with GitHub comments and PR reviews
- 🛠️ Flexible Tool Access: Access to GitHub APIs and file operations (additional tools can be enabled via configuration)
- 📋 Progress Tracking: Visual progress indicators with checkboxes that dynamically update as Claude completes tasks
- 📊 Structured Outputs: Get validated JSON results that automatically become GitHub Action outputs for complex automations
- 🏃 Runs on Your Infrastructure: The action executes entirely on your own GitHub runner (Anthropic API calls go to your chosen provider)
- ⚙️ Simplified Configuration: Unified
promptandclaude_argsinputs provide clean, powerful configuration aligned with Claude Code SDK
📦 Upgrading from v0.x?
See our Migration Guide for step-by-step instructions on updating your workflows to v1.0. The new version simplifies configuration while maintaining compatibility with most existing setups.
Quickstart
The easiest way to set up this action is through Claude Code in the terminal. Just open claude and run /install-github-app.
This command will guide you through setting up the GitHub app and required secrets.
Note:
- You must be a repository admin to install the GitHub app and add secrets
- This quickstart method is only available for direct Anthropic API users. For AWS Bedrock, Google Vertex AI, or Microsoft Foundry setup, see docs/cloud-providers.md.
📚 Solutions & Use Cases
Looking for specific automation patterns? Check our Solutions Guide for complete working examples including:
- 🔍 Automatic PR Code Review - Full review automation
- 📂 Path-Specific Reviews - Trigger on critical file changes
- 👥 External Contributor Reviews - Special handling for new contributors
- 📝 Custom Review Checklists - Enforce team standards
- 🔄 Scheduled Maintenance - Automated repository health checks
- 🏷️ Issue Triage & Labeling - Automatic categorization
- 📖 Documentation Sync - Keep docs updated with code changes
- 🔒 Security-Focused Reviews - OWASP-aligned security analysis
- 📊 DIY Progress Tracking - Create tracking comments in automation mode
Each solution includes complete working examples, configuration details, and expected outcomes.
Documentation
- Solutions Guide - 🎯 Ready-to-use automation patterns
- Migration Guide - ⭐ Upgrading from v0.x to v1.0
- Setup Guide - Manual setup, custom GitHub apps, and security best practices
- Usage Guide - Basic usage, workflow configuration, and input parameters
- Custom Automations - Examples of automated workflows and custom prompts
- Configuration - MCP servers, permissions, environment variables, and advanced settings
- Experimental Features - Execution modes and network restrictions
- Cloud Providers - AWS Bedrock, Google Vertex AI, and Microsoft Foundry setup
- Capabilities & Limitations - What Claude can and cannot do
- Security - Access control, permissions, and commit signing
- FAQ - Common questions and troubleshooting
📚 FAQ
Having issues or questions? Check out our Frequently Asked Questions for solutions to common problems and detailed explanations of Claude's capabilities and limitations.
License
This project is licensed under the MIT License—see the LICENSE file for details.