anthropics/claude-code-action
1
0
Fork 0
mirror of https://github.com/anthropics/claude-code-action.git synced 2026-01-22 22:44:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

Remove unnecessary network restrictions test and update readme + action.yml with no default domains and respective instructions in the readme

Browse Source
This commit is contained in:
km-anthropic
2025-07-14 14:47:07 -07:00
parent c61f7b0167
commit 2877ea975e
3 changed files with 29 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
README.md
View File

@@ -500,22 +500,41 @@ For enhanced security, you can restrict Claude's network access to specific doma
- Preventing access to external services
- Limiting Claude to only your internal APIs and services
When `allowed_domains` is set, Claude can only access:
When `allowed_domains` is set, Claude can only access the domains you explicitly list. You'll need to include the appropriate provider domains based on your authentication method.
1. The domains you explicitly list
2. Auto-detected provider domains (based on your authentication method)
#### Provider-Specific Examples
#### Basic Example
##### If using Anthropic API or subscription
```yaml
- uses: anthropics/claude-code-action@beta
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
# Or: claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
allowed_domains: |
.github.com
.githubusercontent.com
ghcr.io
.blob.core.windows.net
.anthropic.com
```
##### If using AWS Bedrock
```yaml
- uses: anthropics/claude-code-action@beta
with:
use_bedrock: "true"
allowed_domains: |
bedrock.*.amazonaws.com
bedrock-runtime.*.amazonaws.com
```
##### If using Google Vertex AI
```yaml
- uses: anthropics/claude-code-action@beta
with:
use_vertex: "true"
allowed_domains: |
*.googleapis.com
vertexai.googleapis.com
```
#### GitHub Enterprise Example

18
action.yml
View File

@@ -153,26 +153,12 @@ runs:
# Install and configure Squid proxy
sudo apt-get update && sudo apt-get install -y squid
echo "${{ inputs.allowed_domains }}" > /tmp/whitelist.txt
if [[ -n "${{ inputs.anthropic_api_key }}" ]]; then
echo ".anthropic.com" >> /tmp/whitelist.txt
fi
if [[ "${{ inputs.use_bedrock }}" == "true" ]]; then
echo "bedrock.*.amazonaws.com" >> /tmp/whitelist.txt
echo "bedrock-runtime.*.amazonaws.com" >> /tmp/whitelist.txt
fi
if [[ "${{ inputs.use_vertex }}" == "true" ]]; then
echo "*.googleapis.com" >> /tmp/whitelist.txt
echo "vertexai.googleapis.com" >> /tmp/whitelist.txt
fi
echo "${{ inputs.allowed_domains }}" > $RUNNER_TEMP/whitelist.txt
# Configure Squid
sudo tee /etc/squid/squid.conf << 'EOF'
http_port 127.0.0.1:3128
acl whitelist dstdomain "/tmp/whitelist.txt"
acl whitelist dstdomain "$RUNNER_TEMP/whitelist.txt"
acl localhost src 127.0.0.1/32
http_access allow localhost whitelist
http_access deny all

44
test/network-restrictions.test.ts
View File

@@ -1,44 +0,0 @@
import { describe, test, expect } from "bun:test";
describe("Network Restrictions", () => {
test("should block access to unauthorized domains", async () => {
const url = "https://example.com/api/data";
try {
const controller = new AbortController();
const timeoutId = setTimeout(() => controller.abort(), 5000);
const response = await fetch(url, {
signal: controller.signal,
});
clearTimeout(timeoutId);
expect(response.ok).toBe(false);
throw new Error(`Unauthorized domain ${url} was not blocked by proxy`);
} catch (error) {
expect(error).toBeDefined();
console.log(`Successfully blocked: ${url}`);
}
});
test("should allow access to whitelisted domains", async () => {
const url = "https://api.github.com/zen";
try {
const controller = new AbortController();
const timeoutId = setTimeout(() => controller.abort(), 5000);
const response = await fetch(url, {
signal: controller.signal,
});
clearTimeout(timeoutId);
expect(response.ok).toBe(true);
console.log(`Successfully allowed: ${url}`);
} catch (error: any) {
throw new Error(
`Whitelisted domain ${url} was blocked: ${error.message}`,
);
}
});
});