anthropics/claude-code-action
1
0
Fork 0
mirror of https://github.com/anthropics/claude-code-action.git synced 2026-01-22 22:44:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat: add allowed_non_write_users input to bypass permission checks (#550)

Browse Source 
* chore: bump Claude Code version to 1.0.108

* triage fix

---------

Co-authored-by: GitHub Actions <actions@github.com>
This commit is contained in:
Ashwin Bhat
2025-09-07 14:20:02 -07:00
committed by GitHub
parent 1a8e7d330a
commit 69dec299f8
12 changed files with 261 additions and 162 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
src/github/validation/permissions.ts
View File

@@ -6,17 +6,43 @@ import type { Octokit } from "@octokit/rest";
* Check if the actor has write permissions to the repository
* @param octokit - The Octokit REST client
* @param context - The GitHub context
* @param allowedNonWriteUsers - Comma-separated list of users allowed without write permissions, or '*' for all
* @param githubTokenProvided - Whether github_token was provided as input (not from app)
* @returns true if the actor has write permissions, false otherwise
*/
export async function checkWritePermissions(
octokit: Octokit,
context: ParsedGitHubContext,
allowedNonWriteUsers?: string,
githubTokenProvided?: boolean,
): Promise<boolean> {
const { repository, actor } = context;
try {
core.info(`Checking permissions for actor: ${actor}`);
// Check if we should bypass permission checks for this user
if (allowedNonWriteUsers && githubTokenProvided) {
const allowedUsers = allowedNonWriteUsers.trim();
if (allowedUsers === "*") {
core.warning(
`⚠️ SECURITY WARNING: Bypassing write permission check for ${actor} due to allowed_non_write_users='*'. This should only be used for workflows with very limited permissions.`,
);
return true;
} else if (allowedUsers) {
const allowedUserList = allowedUsers
.split(",")
.map((u) => u.trim())
.filter((u) => u.length > 0);
if (allowedUserList.includes(actor)) {
core.warning(
`⚠️ SECURITY WARNING: Bypassing write permission check for ${actor} due to allowed_non_write_users configuration. This should only be used for workflows with very limited permissions.`,
);
return true;
}
}
}
// Check if the actor is a GitHub App (bot user)
if (actor.endsWith("[bot]")) {
core.info(`Actor is a GitHub App: ${actor}`);