Skip to content

Update Claude Code Review workflow to include checkout #1247

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sbryngelson merged 1 commit into from
Feb 22, 2026
Merged

Update Claude Code Review workflow to include checkout #1247

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 6 additions & 5 deletions .github/workflows/claude-code-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,20 +15,21 @@ jobs:
id-token: write

steps:
# IMPORTANT: no checkout for pull_request_target (fork-safe)
- name: Checkout PR head (fork)
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 1
Comment on lines +18 to +22
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai bot Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P0: Security: Checking out untrusted fork code in a pull_request_target workflow exposes secrets to prompt injection attacks.

The pull_request_target trigger runs with the base repo's secrets and write permissions. By checking out the fork's HEAD, untrusted code (including potential CLAUDE.md prompt injection files) becomes available to claude-code-action, which is an AI agent capable of executing shell commands and reading files. A malicious PR could craft prompt injections that exfiltrate CLAUDE_CODE_OAUTH_TOKEN or abuse the github.token's write access.

The previous workflow deliberately avoided checkout with the comment "IMPORTANT: no checkout for pull_request_target (fork-safe)". This security measure should not be removed. If checkout is needed for the action to function, consider restricting to non-fork PRs:

- name: Checkout PR head (non-fork only)
  if: github.event.pull_request.head.repo.full_name == github.repository
  uses: actions/checkout@v4
  with:
    ref: ${{ github.event.pull_request.head.sha }}
    fetch-depth: 1
Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/claude-code-review.yml, line 18:

<comment>**Security: Checking out untrusted fork code in a `pull_request_target` workflow exposes secrets to prompt injection attacks.**

The `pull_request_target` trigger runs with the base repo's secrets and write permissions. By checking out the fork's HEAD, untrusted code (including potential `CLAUDE.md` prompt injection files) becomes available to `claude-code-action`, which is an AI agent capable of executing shell commands and reading files. A malicious PR could craft prompt injections that exfiltrate `CLAUDE_CODE_OAUTH_TOKEN` or abuse the `github.token`'s write access.

The previous workflow deliberately avoided checkout with the comment *"IMPORTANT: no checkout for pull_request_target (fork-safe)"*. This security measure should not be removed. If checkout is needed for the action to function, consider restricting to non-fork PRs:
```yaml
- name: Checkout PR head (non-fork only)
  if: github.event.pull_request.head.repo.full_name == github.repository
  uses: actions/checkout@v4
  with:
    ref: ${{ github.event.pull_request.head.sha }}
    fetch-depth: 1
```</comment>

<file context>
@@ -15,20 +15,21 @@ jobs:
 
     steps:
-      # IMPORTANT: no checkout for pull_request_target (fork-safe)
+      - name: Checkout PR head (fork)
+        uses: actions/checkout@v4
+        with:
</file context>
Suggested change
- name: Checkout PR head (fork)
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 1
- name: Checkout PR head (non-fork only)
if: github.event.pull_request.head.repo.full_name == github.repository
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 1


Comment on lines +18 to +23
Copy link

Copilot AI Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change introduces a critical security vulnerability. The workflow uses pull_request_target which runs in the context of the base repository with access to secrets (like CLAUDE_CODE_OAUTH_TOKEN), but now checks out untrusted code from the PR head (potentially from a fork).

The original comment "# IMPORTANT: no checkout for pull_request_target (fork-safe)" was removed, which explicitly warned against this exact security issue. An attacker could create a malicious PR that:

  1. Checks out their malicious code into the workflow runner
  2. Executes arbitrary code with access to repository secrets
  3. Compromises the repository or exfiltrates secrets

The pull_request_target event is designed to run workflows from the base branch to prevent untrusted code execution. If the claude-code-action needs access to the PR code, it should either:

  • Use the pull_request event instead (which doesn't have write permissions or access to secrets from forks)
  • Fetch the PR code through the GitHub API without checking it out
  • Use a two-job approach where one job with pull_request_target handles secrets and another with pull_request handles code

Please revert this change and consult with the claude-code-action maintainers about the correct way to provide PR context without compromising security.

Suggested change
- name: Checkout PR head (fork)
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 1
# IMPORTANT: no checkout for pull_request_target (fork-safe)

Copilot uses AI. Check for mistakes.
- name: Run Claude Code Review
id: claude-review
uses: anthropics/claude-code-action@v1
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

# Workaround: bypass Anthropic OIDC->GitHub App token exchange
github_token: ${{ github.token }}

plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
plugins: 'code-review@claude-code-plugins'
prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'

# Optional: lets Claude read CI results
additional_permissions: |
actions: read