Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions .github/workflows/claude-pr-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@ jobs:
contents: write
pull-requests: write
issues: write
id-token: write
steps:
- name: Check out PR head commit
uses: actions/checkout@v4
Expand All @@ -22,7 +21,7 @@ jobs:
fetch-depth: 0

- name: Run Claude on the review feedback
uses: anthropics/claude-code-action@v1
uses: anthropics/claude-code-action@428971d2ecd6e3a7cb0ee0da2a3a8b33fdb3678d # v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt: |
Expand Down
22 changes: 22 additions & 0 deletions tests/test_workflows_security.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
"""Security regression tests for GitHub Actions workflows."""

from __future__ import annotations

import re
from pathlib import Path

WORKFLOW = Path(".github/workflows/claude-pr-review.yml")


def test_claude_pr_review_uses_immutable_action_pin() -> None:
workflow = WORKFLOW.read_text()

match = re.search(r"uses:\s*anthropics/claude-code-action@([0-9a-f]{40})\b", workflow)

assert match is not None


def test_claude_pr_review_does_not_request_oidc_token() -> None:
workflow = WORKFLOW.read_text()

assert not re.search(r"^\s*id-token:\s*write\s*$", workflow, re.MULTILINE)
Loading