anthropics/claude-code-action
1
0
Fork 0
mirror of https://github.com/anthropics/claude-code-action.git synced 2026-01-23 06:54:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

Move network restrictions to actions.yml + show custom domains in the examples folder

Browse Source
This commit is contained in:
km-anthropic
2025-07-14 12:53:57 -07:00
parent b938e69075
commit 1eab4a208c
2 changed files with 80 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
action.yml
View File

@@ -96,6 +96,14 @@ inputs:
description: "Enable commit signing using GitHub's commit signature verification. When false, Claude uses standard git commands"
required: false
default: "false"
enable_network_restrictions:
description: "Enable network restrictions to limit Claude's internet access to approved domains"
required: false
default: "false"
allowed_domains:
description: "Additional domains to allow when network restrictions are enabled (newline-separated)"
required: false
default: ""
outputs:
execution_file:
@@ -142,6 +150,68 @@ runs:
ADDITIONAL_PERMISSIONS: ${{ inputs.additional_permissions }}
USE_COMMIT_SIGNING: ${{ inputs.use_commit_signing }}
- name: Setup Network Restrictions
if: steps.prepare.outputs.contains_trigger == 'true' && inputs.enable_network_restrictions == 'true'
shell: bash
run: |
# Install and configure Squid proxy
sudo apt-get update && sudo apt-get install -y squid
# Create whitelist for allowed domains
cat > /tmp/whitelist.txt << 'EOF'
# Core domains (always needed)
.anthropic.com
.github.com
.githubusercontent.com
ghcr.io
.blob.core.windows.net
EOF
# Auto-detect and add provider-specific domains
if [[ "${{ inputs.use_bedrock }}" == "true" ]]; then
echo "# AWS Bedrock domains" >> /tmp/whitelist.txt
echo "bedrock.*.amazonaws.com" >> /tmp/whitelist.txt
echo "bedrock-runtime.*.amazonaws.com" >> /tmp/whitelist.txt
fi
if [[ "${{ inputs.use_vertex }}" == "true" ]]; then
echo "# Google Vertex AI domains" >> /tmp/whitelist.txt
echo "*.googleapis.com" >> /tmp/whitelist.txt
echo "vertexai.googleapis.com" >> /tmp/whitelist.txt
fi
# Add any custom domains provided by user
if [[ -n "${{ inputs.allowed_domains }}" ]]; then
echo "# User-provided custom domains" >> /tmp/whitelist.txt
echo "${{ inputs.allowed_domains }}" >> /tmp/whitelist.txt
fi
# Configure Squid
sudo tee /etc/squid/squid.conf << 'EOF'
http_port 127.0.0.1:3128
acl whitelist dstdomain "/tmp/whitelist.txt"
acl localhost src 127.0.0.1/32
http_access allow localhost whitelist
http_access deny all
cache deny all
EOF
# Stop any existing squid instance and start with our config
sudo squid -k shutdown || true
sleep 2
sudo rm -f /run/squid.pid
sudo squid -N -d 1 &
sleep 5
# Set proxy environment variables
echo "http_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV
echo "https_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV
echo "HTTP_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV
echo "HTTPS_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV
# Bypass proxy for package registries to avoid integrity check issues
echo "NO_PROXY=localhost,127.0.0.1,registry.npmjs.org,registry.yarnpkg.com" >> $GITHUB_ENV
echo "no_proxy=localhost,127.0.0.1,registry.npmjs.org,registry.yarnpkg.com" >> $GITHUB_ENV
- name: Run Claude Code
id: claude-code
if: steps.prepare.outputs.contains_trigger == 'true'

69
examples/claude.yml
View File

@@ -29,65 +29,6 @@ jobs:
with:
fetch-depth: 1
- name: Setup Network Restrictions
if: ${{ vars.ENABLE_NETWORK_RESTRICTIONS == 'true' }}
run: |
# Install and configure Squid proxy
sudo apt-get update && sudo apt-get install -y squid
# Create whitelist for allowed domains
cat > /tmp/whitelist.txt << 'EOF'
# Provider APIs - Choose one:
# Anthropic (1P)
.anthropic.com
# AWS Bedrock:
# bedrock.*.amazonaws.com
# bedrock-runtime.*.amazonaws.com
# Google Vertex AI:
# *.googleapis.com
# vertexai.googleapis.com
# GitHub (required for all setups)
.github.com
.githubusercontent.com
ghcr.io
# Azure storage for GitHub Actions cache
.blob.core.windows.net
# Additional custom domains (newline-separated)
# Set via CUSTOM_ALLOWED_DOMAINS repository variable
${{ vars.CUSTOM_ALLOWED_DOMAINS || '' }}
EOF
# Configure Squid
sudo tee /etc/squid/squid.conf << 'EOF'
http_port 127.0.0.1:3128
acl whitelist dstdomain "/tmp/whitelist.txt"
acl localhost src 127.0.0.1/32
http_access allow localhost whitelist
http_access deny all
cache deny all
EOF
# Stop any existing squid instance and start with our config
sudo squid -k shutdown || true
sleep 2
sudo rm -f /run/squid.pid
sudo squid -N -d 1 &
sleep 5
# Set proxy environment variables
echo "http_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV
echo "https_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV
echo "HTTP_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV
echo "HTTPS_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV
# Bypass proxy for package registries to avoid integrity check issues
echo "NO_PROXY=localhost,127.0.0.1,registry.npmjs.org,registry.yarnpkg.com" >> $GITHUB_ENV
echo "no_proxy=localhost,127.0.0.1,registry.npmjs.org,registry.yarnpkg.com" >> $GITHUB_ENV
- name: Run Claude PR Action
uses: anthropics/claude-code-action@beta
with:
@@ -95,3 +36,13 @@ jobs:
# Or use OAuth token instead:
# claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
timeout_minutes: "60"
# Optional: Enable network restrictions
# This limits Claude's internet access to approved domains only
# enable_network_restrictions: true
# Optional: Add custom domains (when network restrictions are enabled)
# These are in addition to core domains and auto-detected provider domains
# allowed_domains: |
# api.mycompany.com
# internal-service.example.com