fix: pin Claude PR review action to immutable SHA#90
Merged
Conversation
Pin the third-party Claude action to the current v1 commit (428971d, the commit v1 currently resolves to) instead of the floating @v1 tag, and remove the unused id-token: write permission from the workflow. Add regression tests so the workflow cannot drift back to a floating action tag or id-token write access. Ports a fix originally written on the pre-rename entraclaw fork (never upstreamed) and refreshes the pinned SHA to current v1.
brandwe
added a commit
that referenced
this pull request
Jun 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
anthropics/claude-code-actionfrom the floating@v1tag to the immutable commit SHA428971d2ecd6e3a7cb0ee0da2a3a8b33fdb3678d(the commitv1currently resolves to)id-token: writepermission from theclaude-pr-review.ymlworkflowtests/test_workflows_security.pyregression tests so the workflow cannot drift back to a floating tag or regainid-token: writeWhy
A floating action tag (
@v1) is mutable — the upstream maintainer (or anyone who compromises the tag) can repoint it at arbitrary code that then runs in this repo's CI withcontents: write,pull-requests: write, andissues: write. Pinning to a full commit SHA makes the referenced code immutable (supply-chain hardening, per GitHub's hardening guidance). Theid-token: writepermission was unused by this job and is dropped to minimize the workflow's privilege.Provenance
This ports a fix originally written on the retired pre-rename
entraclawrepo that was never upstreamed. The pinned SHA was refreshed from the original (stale) pin to the commitv1resolves to today.Validation
uv run --python 3.12 --extra dev python -m pytest tests/test_workflows_security.py -v— 2 passeduv run --python 3.12 --extra dev ruff check tests/test_workflows_security.py— cleanuv run --python 3.12 --extra dev ruff format --check tests/test_workflows_security.py— clean