Update Claude Code Review workflow to include checkout#1247
Update Claude Code Review workflow to include checkout#1247sbryngelson merged 1 commit intoMFlowCode:masterfrom
Conversation
|
CodeAnt AI is reviewing your PR. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
codeant-ai
bot
added
the
size:XS
|
CodeAnt AI finished reviewing your PR. |
There was a problem hiding this comment.
Pull request overview
This PR modifies the Claude Code Review GitHub Actions workflow to add a checkout step for the PR head, removing an explicit security warning comment that previously stated "IMPORTANT: no checkout for pull_request_target (fork-safe)". The change also removes some workaround comments about the GitHub App token exchange and CI results.
Changes:
- Adds checkout step to pull_request_target workflow, checking out untrusted PR code with access to repository secrets
- Removes security warning comment about not using checkout with pull_request_target
- Removes explanatory comments about workarounds and optional features
| - name: Checkout PR head (fork) | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{ github.event.pull_request.head.sha }} | ||
| fetch-depth: 1 | ||
|
|
There was a problem hiding this comment.
This change introduces a critical security vulnerability. The workflow uses pull_request_target which runs in the context of the base repository with access to secrets (like CLAUDE_CODE_OAUTH_TOKEN), but now checks out untrusted code from the PR head (potentially from a fork).
The original comment "# IMPORTANT: no checkout for pull_request_target (fork-safe)" was removed, which explicitly warned against this exact security issue. An attacker could create a malicious PR that:
- Checks out their malicious code into the workflow runner
- Executes arbitrary code with access to repository secrets
- Compromises the repository or exfiltrates secrets
The pull_request_target event is designed to run workflows from the base branch to prevent untrusted code execution. If the claude-code-action needs access to the PR code, it should either:
- Use the
pull_requestevent instead (which doesn't have write permissions or access to secrets from forks) - Fetch the PR code through the GitHub API without checking it out
- Use a two-job approach where one job with
pull_request_targethandles secrets and another withpull_requesthandles code
Please revert this change and consult with the claude-code-action maintainers about the correct way to provide PR context without compromising security.
| - name: Checkout PR head (fork) | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| fetch-depth: 1 | |
| # IMPORTANT: no checkout for pull_request_target (fork-safe) |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 1 file
Confidence score: 2/5
- There is a high-risk security concern:
.github/workflows/claude-code-review.ymlusespull_request_targetwith untrusted fork code, which can expose base-repo secrets to prompt injection or malicious changes. - This is likely to be user-impacting and security-sensitive, so the merge risk is high until the workflow is hardened or the trigger changed.
- Pay close attention to
.github/workflows/claude-code-review.yml-pull_request_targetwith secrets and write permissions can be exploited by forked PRs.
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/claude-code-review.yml">
<violation number="1" location=".github/workflows/claude-code-review.yml:18">
P0: **Security: Checking out untrusted fork code in a `pull_request_target` workflow exposes secrets to prompt injection attacks.**
The `pull_request_target` trigger runs with the base repo's secrets and write permissions. By checking out the fork's HEAD, untrusted code (including potential `CLAUDE.md` prompt injection files) becomes available to `claude-code-action`, which is an AI agent capable of executing shell commands and reading files. A malicious PR could craft prompt injections that exfiltrate `CLAUDE_CODE_OAUTH_TOKEN` or abuse the `github.token`'s write access.
The previous workflow deliberately avoided checkout with the comment *"IMPORTANT: no checkout for pull_request_target (fork-safe)"*. This security measure should not be removed. If checkout is needed for the action to function, consider restricting to non-fork PRs:
```yaml
- name: Checkout PR head (non-fork only)
if: github.event.pull_request.head.repo.full_name == github.repository
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 1
```</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| - name: Checkout PR head (fork) | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{ github.event.pull_request.head.sha }} | ||
| fetch-depth: 1 |
There was a problem hiding this comment.
P0: Security: Checking out untrusted fork code in a pull_request_target workflow exposes secrets to prompt injection attacks.
The pull_request_target trigger runs with the base repo's secrets and write permissions. By checking out the fork's HEAD, untrusted code (including potential CLAUDE.md prompt injection files) becomes available to claude-code-action, which is an AI agent capable of executing shell commands and reading files. A malicious PR could craft prompt injections that exfiltrate CLAUDE_CODE_OAUTH_TOKEN or abuse the github.token's write access.
The previous workflow deliberately avoided checkout with the comment "IMPORTANT: no checkout for pull_request_target (fork-safe)". This security measure should not be removed. If checkout is needed for the action to function, consider restricting to non-fork PRs:
- name: Checkout PR head (non-fork only)
if: github.event.pull_request.head.repo.full_name == github.repository
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 1Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/claude-code-review.yml, line 18:
<comment>**Security: Checking out untrusted fork code in a `pull_request_target` workflow exposes secrets to prompt injection attacks.**
The `pull_request_target` trigger runs with the base repo's secrets and write permissions. By checking out the fork's HEAD, untrusted code (including potential `CLAUDE.md` prompt injection files) becomes available to `claude-code-action`, which is an AI agent capable of executing shell commands and reading files. A malicious PR could craft prompt injections that exfiltrate `CLAUDE_CODE_OAUTH_TOKEN` or abuse the `github.token`'s write access.
The previous workflow deliberately avoided checkout with the comment *"IMPORTANT: no checkout for pull_request_target (fork-safe)"*. This security measure should not be removed. If checkout is needed for the action to function, consider restricting to non-fork PRs:
```yaml
- name: Checkout PR head (non-fork only)
if: github.event.pull_request.head.repo.full_name == github.repository
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 1
```</comment>
<file context>
@@ -15,20 +15,21 @@ jobs:
steps:
- # IMPORTANT: no checkout for pull_request_target (fork-safe)
+ - name: Checkout PR head (fork)
+ uses: actions/checkout@v4
+ with:
</file context>
| - name: Checkout PR head (fork) | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| fetch-depth: 1 | |
| - name: Checkout PR head (non-fork only) | |
| if: github.event.pull_request.head.repo.full_name == github.repository | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| fetch-depth: 1 |
User description
Description
Summarize your changes and the motivation behind them.
Fixes #(issue)
Type of change
Testing
How did you test your changes?
Checklist
See the developer guide for full coding standards.
GPU changes (expand if you modified
src/simulation/)CodeAnt-AI Description
Allow Claude Code Review to checkout PR head and access repository files
What Changed
Impact
✅ Claude can read PR files✅ Reviews run against the latest PR commit✅ Reviews include CI context and repository contents💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.