claude-code-action

anthropics/claude-code-action

Fork 0

mirror of https://github.com/anthropics/claude-code-action.git synced 2026-01-22 22:44:13 +08:00

Commit Graph

Author	SHA1	Message	Date
Claude	0085208689	fix: require explicit acknowledgment for wildcard write permission bypass SECURITY FIX: Addresses authorization_bypass vulnerability (LOW severity) The allowed_non_write_users='' configuration previously bypassed write permission checks for all users with only a warning. This created a security misconfiguration risk. Changes: - Added new input 'bypass_write_permission_check_acknowledgment' required when using wildcard () - Modified checkWritePermissions() to throw error if wildcard used without explicit acknowledgment flag - Updated all documentation (security.md, usage.md) with new requirement - Updated example workflows to include acknowledgment flag - Added tests for new validation behavior This prevents accidental security misconfigurations while maintaining the feature for intentional use cases like issue triage workflows. Affected file: src/github/validation/permissions.ts:27 Category: authorization_bypass Severity: LOW	2026-01-13 23:29:39 +00:00
Ashwin Bhat	8335bda243	feat: integrate claude-code-base-action as local subaction (#285 ) * feat: integrate claude-code-base-action as local subaction - Copy claude-code-base-action into base-action/ directory - Update action.yml to reference ./base-action instead of external repo - Preserve complete base action structure for future refactoring This eliminates the external dependency while maintaining modularity. * feat: consolidate CI workflows and add version bump workflow - Move base-action test workflows to main .github/workflows/ - Update workflow references to use ./base-action - Add CI jobs for base-action (test, typecheck, prettier) - Add bump-claude-code-version workflow for base-action - Remove redundant .github directory from base-action This consolidates all CI workflows in one place while maintaining full test coverage for both the main action and base-action. * tsc * copy again * fix tests * fix: use absolute path for base-action reference Replace relative path ./base-action with ${{ github.action_path }}/base-action to ensure the action works correctly when used in other repositories. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: inline base-action execution to support usage in other repos Replace uses: ./base-action with direct shell execution since GitHub Actions doesn't support dynamic paths in composite actions. This ensures the action works correctly when used in other repositories. Changes: - Install Claude Code globally before execution - Run base-action's index.ts directly with bun - Pass all required INPUT_* environment variables - Maintain base-action for future separate publishing 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>	2025-07-18 13:52:56 -07:00

Author

SHA1

Message

Date

Claude

0085208689

fix: require explicit acknowledgment for wildcard write permission bypass

SECURITY FIX: Addresses authorization_bypass vulnerability (LOW severity)

The allowed_non_write_users='*' configuration previously bypassed write
permission checks for all users with only a warning. This created a
security misconfiguration risk.

Changes:
- Added new input 'bypass_write_permission_check_acknowledgment' required
  when using wildcard (*)
- Modified checkWritePermissions() to throw error if wildcard used without
  explicit acknowledgment flag
- Updated all documentation (security.md, usage.md) with new requirement
- Updated example workflows to include acknowledgment flag
- Added tests for new validation behavior

This prevents accidental security misconfigurations while maintaining the
feature for intentional use cases like issue triage workflows.

Affected file: src/github/validation/permissions.ts:27
Category: authorization_bypass
Severity: LOW

2026-01-13 23:29:39 +00:00

Ashwin Bhat

8335bda243

feat: integrate claude-code-base-action as local subaction (#285 )

* feat: integrate claude-code-base-action as local subaction

- Copy claude-code-base-action into base-action/ directory
- Update action.yml to reference ./base-action instead of external repo
- Preserve complete base action structure for future refactoring

This eliminates the external dependency while maintaining modularity.

* feat: consolidate CI workflows and add version bump workflow

- Move base-action test workflows to main .github/workflows/
- Update workflow references to use ./base-action
- Add CI jobs for base-action (test, typecheck, prettier)
- Add bump-claude-code-version workflow for base-action
- Remove redundant .github directory from base-action

This consolidates all CI workflows in one place while maintaining
full test coverage for both the main action and base-action.

* tsc

* copy again

* fix tests

* fix: use absolute path for base-action reference

Replace relative path ./base-action with ${{ github.action_path }}/base-action
to ensure the action works correctly when used in other repositories.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: inline base-action execution to support usage in other repos

Replace uses: ./base-action with direct shell execution since GitHub Actions
doesn't support dynamic paths in composite actions. This ensures the action
works correctly when used in other repositories.

Changes:
- Install Claude Code globally before execution
- Run base-action's index.ts directly with bun
- Pass all required INPUT_* environment variables
- Maintain base-action for future separate publishing

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>

2025-07-18 13:52:56 -07:00

2 Commits