fix: refresh upstream tokens transparently instead of forcing re-auth #15290
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Claude PR Assistant | |
| on: | |
| issue_comment: | |
| types: [created] | |
| pull_request_review_comment: | |
| types: [created] | |
| issues: | |
| types: [opened, assigned] | |
| pull_request_review: | |
| types: [submitted] | |
| jobs: | |
| claude: | |
| name: Claude Code Action | |
| # Security: Only allow invocation by trusted contributors. | |
| # Blocks NONE (anonymous), FIRST_TIMER, and FIRST_TIME_CONTRIBUTOR to | |
| # prevent prompt-injection attacks from untrusted GitHub users. | |
| # See: https://docs.github.com/en/graphql/reference/enums#commentauthorassociation | |
| if: | | |
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude') && | |
| github.event.comment.author_association != 'NONE' && | |
| github.event.comment.author_association != 'FIRST_TIMER' && | |
| github.event.comment.author_association != 'FIRST_TIME_CONTRIBUTOR') || | |
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude') && | |
| github.event.comment.author_association != 'NONE' && | |
| github.event.comment.author_association != 'FIRST_TIMER' && | |
| github.event.comment.author_association != 'FIRST_TIME_CONTRIBUTOR') || | |
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude') && | |
| github.event.review.author_association != 'NONE' && | |
| github.event.review.author_association != 'FIRST_TIMER' && | |
| github.event.review.author_association != 'FIRST_TIME_CONTRIBUTOR') || | |
| (github.event_name == 'issues' && contains(github.event.issue.body, '@claude') && | |
| github.event.issue.author_association != 'NONE' && | |
| github.event.issue.author_association != 'FIRST_TIMER' && | |
| github.event.issue.author_association != 'FIRST_TIME_CONTRIBUTOR') | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| # Least-privilege permissions for the AI agent workflow. | |
| # contents:write is required for Claude to push commits on PRs. | |
| permissions: | |
| contents: write | |
| pull-requests: read | |
| issues: read | |
| id-token: write | |
| actions: read # Required for Claude to read CI results on PRs | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| fetch-depth: 1 | |
| - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6 | |
| with: | |
| go-version-file: 'go.mod' | |
| - name: Setup helm-docs | |
| run: go install github.com/norwoodj/helm-docs/cmd/helm-docs@latest | |
| - name: Run Claude Code | |
| id: claude | |
| uses: anthropics/claude-code-action@35a9e0292d36f1186f5d842b14eb575074e8b450 # v1 | |
| with: | |
| anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} | |
| # Security: Restrict tools to prevent arbitrary code execution. | |
| # Bash is scoped to known-safe commands (task, go, git, helm-docs). | |
| # No unrestricted Bash access — prevents prompt injection from | |
| # executing arbitrary shell commands via crafted issue/PR content. | |
| allowed_tools: "Read,Edit,Write,Glob,Grep,Bash(task *),Bash(go *),Bash(git *),Bash(helm-docs *),mcp__github__*" |