chore: release main #10
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Non-write Users Check | |
| on: | |
| pull_request: | |
| paths: | |
| - ".github/**" | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| jobs: | |
| allowed-non-write-check: | |
| runs-on: ubuntu-latest | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| steps: | |
| - run: | | |
| DIFF=$(gh pr diff "$PR_NUMBER" -R "$REPO" || true) | |
| if ! echo "$DIFF" | grep -qE '^diff --git a/\.github/.*\.ya?ml'; then | |
| exit 0 | |
| fi | |
| MATCHES=$(echo "$DIFF" | grep "^+.*allowed_non_write_users" || true) | |
| if [ -z "$MATCHES" ]; then | |
| exit 0 | |
| fi | |
| EXISTING=$(gh pr view "$PR_NUMBER" -R "$REPO" --json comments --jq '.comments[].body' \ | |
| | grep -c "<!-- non-write-users-check -->" || true) | |
| if [ "$EXISTING" -gt 0 ]; then | |
| exit 0 | |
| fi | |
| gh pr comment "$PR_NUMBER" -R "$REPO" --body '<!-- non-write-users-check --> | |
| **`allowed_non_write_users` detected** | |
| This PR adds or modifies `allowed_non_write_users`, which allows users without write access to trigger Claude Code Action workflows. This can introduce security risks. | |
| If this is a new flow, please make sure you actually need `allowed_non_write_users`. If you are editing an existing workflow, double check that you are not adding new Claude permissions which might lead to a vulnerability. | |
| See existing workflows in this repo for safe usage examples, or contact the AppSec team.' | |
| env: | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| REPO: ${{ github.repository }} |