diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml index 35d9fe3d..42daf066 100644 --- a/.github/workflows/claude.yml +++ b/.github/workflows/claude.yml @@ -29,6 +29,61 @@ jobs: with: fetch-depth: 1 + + - name: Setup Network Restrictions + if: ${{ vars.DISABLE_NETWORK_RESTRICTIONS != 'true' }} + run: | + # Install and configure Squid proxy + sudo apt-get update && sudo apt-get install -y squid + + # Create whitelist for allowed domains + cat > /tmp/whitelist.txt << 'EOF' + # Claude API + .anthropic.com + + # GitHub (covers github.com, api.github.com, gist.github.com, etc.) + .github.com + + # GitHub raw content and user uploads + .githubusercontent.com + + # GitHub Container Registry + ghcr.io + + # Package registries + registry.npmjs.org + bun.sh + + # Azure storage for GitHub Actions cache + .blob.core.windows.net + EOF + + # Configure Squid + sudo tee /etc/squid/squid.conf << 'EOF' + http_port 127.0.0.1:3128 + acl whitelist dstdomain "/tmp/whitelist.txt" + acl localhost src 127.0.0.1/32 + http_access allow localhost whitelist + http_access deny all + cache deny all + EOF + + # Stop any existing squid instance and start with our config + sudo squid -k shutdown || true + sleep 2 + sudo rm -f /run/squid.pid + sudo squid -N -d 1 & + sleep 5 + + # Set proxy environment variables + echo "http_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV + echo "https_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV + echo "HTTP_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV + echo "HTTPS_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV + # Bypass proxy for package registries to avoid integrity check issues + echo "NO_PROXY=localhost,127.0.0.1,registry.npmjs.org,registry.yarnpkg.com" >> $GITHUB_ENV + echo "no_proxy=localhost,127.0.0.1,registry.npmjs.org,registry.yarnpkg.com" >> $GITHUB_ENV + - name: Run Claude Code id: claude uses: anthropics/claude-code-action@beta