feat: add allowed_non_write_users input to bypass permission checks (#550)

* chore: bump Claude Code version to 1.0.108 * triage fix --------- Co-authored-by: GitHub Actions <actions@github.com>
2026-01-22 22:44:13 +08:00 · 2025-09-07 14:20:02 -07:00
parent 1a8e7d330a
commit 69dec299f8
12 changed files with 261 additions and 162 deletions
--- a/src/entrypoints/prepare.ts
+++ b/src/entrypoints/prepare.ts
@@ -30,9 +30,13 @@ async function run() {

    // Step 3: Check write permissions (only for entity contexts)
    if (isEntityContext(context)) {
+      // Check if github_token was provided as input (not from app)
+      const githubTokenProvided = !!process.env.OVERRIDE_GITHUB_TOKEN;
      const hasWritePermissions = await checkWritePermissions(
        octokit.rest,
        context,
+        context.inputs.allowedNonWriteUsers,
+        githubTokenProvided,
      );
      if (!hasWritePermissions) {
        throw new Error(
--- a/src/github/context.ts
+++ b/src/github/context.ts
@@ -93,6 +93,7 @@ type BaseContext = {
    botId: string;
    botName: string;
    allowedBots: string;
+    allowedNonWriteUsers: string;
    trackProgress: boolean;
  };
 };
@@ -147,6 +148,7 @@ export function parseGitHubContext(): GitHubContext {
      botId: process.env.BOT_ID ?? String(CLAUDE_APP_BOT_ID),
      botName: process.env.BOT_NAME ?? CLAUDE_BOT_LOGIN,
      allowedBots: process.env.ALLOWED_BOTS ?? "",
+      allowedNonWriteUsers: process.env.ALLOWED_NON_WRITE_USERS ?? "",
      trackProgress: process.env.TRACK_PROGRESS === "true",
    },
  };
--- a/src/github/validation/permissions.ts
+++ b/src/github/validation/permissions.ts
@@ -6,17 +6,43 @@ import type { Octokit } from "@octokit/rest";
 * Check if the actor has write permissions to the repository
 * @param octokit - The Octokit REST client
 * @param context - The GitHub context
+ * @param allowedNonWriteUsers - Comma-separated list of users allowed without write permissions, or '*' for all
+ * @param githubTokenProvided - Whether github_token was provided as input (not from app)
 * @returns true if the actor has write permissions, false otherwise
 */
 export async function checkWritePermissions(
  octokit: Octokit,
  context: ParsedGitHubContext,
+  allowedNonWriteUsers?: string,
+  githubTokenProvided?: boolean,
 ): Promise<boolean> {
  const { repository, actor } = context;

  try {
    core.info(`Checking permissions for actor: ${actor}`);

+    // Check if we should bypass permission checks for this user
+    if (allowedNonWriteUsers && githubTokenProvided) {
+      const allowedUsers = allowedNonWriteUsers.trim();
+      if (allowedUsers === "*") {
+        core.warning(
+          `⚠️ SECURITY WARNING: Bypassing write permission check for ${actor} due to allowed_non_write_users='*'. This should only be used for workflows with very limited permissions.`,
+        );
+        return true;
+      } else if (allowedUsers) {
+        const allowedUserList = allowedUsers
+          .split(",")
+          .map((u) => u.trim())
+          .filter((u) => u.length > 0);
+        if (allowedUserList.includes(actor)) {
+          core.warning(
+            `⚠️ SECURITY WARNING: Bypassing write permission check for ${actor} due to allowed_non_write_users configuration. This should only be used for workflows with very limited permissions.`,
+          );
+          return true;
+        }
+      }
+    }
+
    // Check if the actor is a GitHub App (bot user)
    if (actor.endsWith("[bot]")) {
      core.info(`Actor is a GitHub App: ${actor}`);