tmp

2026-01-23 23:14:13 +08:00 · 2025-07-15 15:51:39 -07:00
9 changed files with 47 additions and 194 deletions
--- a/.github/workflows/claude-review.yml
+++ b/.github/workflows/claude-review.yml
@@ -26,7 +26,6 @@ jobs:
            - Potential bugs or issues
            - Suggestions for improvements
            - Overall architecture and design decisions
-            - Documentation consistency: Verify that README.md and other documentation files are updated to reflect any code changes (especially new inputs, features, or configuration options)

            Be constructive and specific in your feedback. Give inline comments where applicable.
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -31,14 +31,9 @@ jobs:

      - name: Run Claude Code
        id: claude
-        uses: ./
+        uses: anthropics/claude-code-action@beta
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          allowed_tools: "Bash(bun install),Bash(bun test:*),Bash(bun run format),Bash(bun typecheck)"
          custom_instructions: "You have also been granted tools for editing files and running bun commands (install, run, test, typecheck) for testing your changes: bun install, bun test, bun run format, bun typecheck."
          model: "claude-opus-4-20250514"
-          # Test network restrictions
-          allowed_domains: |
-            .anthropic.com
-            .github.com
-            .githubusercontent.com
--- a/README.md
+++ b/README.md
@@ -166,7 +166,7 @@ jobs:
 ## Inputs

 | Input                     | Description                                                                                                          | Required | Default   |
-| ------------------------------ | -------------------------------------------------------------------------------------------------------------------- | -------- | --------- |
+| ------------------------- | -------------------------------------------------------------------------------------------------------------------- | -------- | --------- |
 | `anthropic_api_key`       | Anthropic API key (required for direct API, not needed for Bedrock/Vertex)                                           | No\*     | -         |
 | `claude_code_oauth_token` | Claude Code OAuth token (alternative to anthropic_api_key)                                                           | No\*     | -         |
 | `direct_prompt`           | Direct prompt for Claude to execute automatically without needing a trigger (for automated workflows)                | No       | -         |
@@ -191,8 +191,6 @@ jobs:
 | `claude_env`              | Custom environment variables to pass to Claude Code execution (YAML format)                                          | No       | ""        |
 | `settings`                | Claude Code settings as JSON string or path to settings JSON file                                                    | No       | ""        |
 | `additional_permissions`  | Additional permissions to enable. Currently supports 'actions: read' for viewing workflow results                    | No       | ""        |
-| `experimental_allowed_domains` | Restrict network access to these domains only (newline-separated).                                                   | No       | ""        |
-| `use_commit_signing`           | Enable commit signing using GitHub's commit signature verification. When false, Claude uses standard git commands    | No       | `false`   |

 \*Required when using direct Anthropic API (default and when not using Bedrock or Vertex)

@@ -574,71 +572,6 @@ Use a specific Claude model:
    # ... other inputs
 ```

-### Network Restrictions
-
-For enhanced security, you can restrict Claude's network access to specific domains only. This feature is particularly useful for:
-
- Enterprise environments with strict security policies
- Preventing access to external services
- Limiting Claude to only your internal APIs and services
-
-When `experimental_allowed_domains` is set, Claude can only access the domains you explicitly list. You'll need to include the appropriate provider domains based on your authentication method.
-
-#### Provider-Specific Examples
-
-##### If using Anthropic API or subscription
-
-```yaml
- uses: anthropics/claude-code-action@beta
-  with:
-    anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
-    # Or: claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-    experimental_allowed_domains: |
-      .anthropic.com
-```
-
-##### If using AWS Bedrock
-
-```yaml
- uses: anthropics/claude-code-action@beta
-  with:
-    use_bedrock: "true"
-    experimental_allowed_domains: |
-      bedrock.*.amazonaws.com
-      bedrock-runtime.*.amazonaws.com
-```
-
-##### If using Google Vertex AI
-
-```yaml
- uses: anthropics/claude-code-action@beta
-  with:
-    use_vertex: "true"
-    experimental_allowed_domains: |
-      *.googleapis.com
-      vertexai.googleapis.com
-```
-
-#### Common GitHub Domains
-
-In addition to your provider domains, you may need to include GitHub-related domains. For GitHub.com users, common domains include:
-
-```yaml
- uses: anthropics/claude-code-action@beta
-  with:
-    anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
-    experimental_allowed_domains: |
-      .anthropic.com  # For Anthropic API
-      .github.com
-      .githubusercontent.com
-      ghcr.io
-      .blob.core.windows.net
-```
-
-For GitHub Enterprise users, replace the GitHub.com domains above with your enterprise domains (e.g., `.github.company.com`, `packages.company.com`, etc.).
-
-To determine which domains your workflow needs, you can temporarily run without restrictions and monitor the network requests, or check your GitHub Enterprise configuration for the specific services you use.
-
 ### Claude Code Settings

 You can provide Claude Code settings to customize behavior such as model selection, environment variables, permissions, and hooks. Settings can be provided either as a JSON string or a path to a settings file.
--- a/action.yml
+++ b/action.yml
@@ -100,10 +100,6 @@ inputs:
    description: "Enable commit signing using GitHub's commit signature verification. When false, Claude uses standard git commands"
    required: false
    default: "false"
-  experimental_allowed_domains:
-    description: "Restrict network access to these domains only (newline-separated). If not set, no restrictions are applied. Provider domains are auto-detected."
-    required: false
-    default: ""

 outputs:
  execution_file:
@@ -150,38 +146,6 @@ runs:
        ADDITIONAL_PERMISSIONS: ${{ inputs.additional_permissions }}
        USE_COMMIT_SIGNING: ${{ inputs.use_commit_signing }}

-    - name: Setup Network Restrictions
-      if: steps.prepare.outputs.contains_trigger == 'true' && inputs.experimental_allowed_domains != ''
-      shell: bash
-      run: |
-        # Install and configure Squid proxy
-        sudo apt-get update && sudo apt-get install -y squid
-
-        echo "${{ inputs.experimental_allowed_domains }}" > $RUNNER_TEMP/whitelist.txt
-
-        # Configure Squid
-        sudo tee /etc/squid/squid.conf << EOF
-        http_port 127.0.0.1:3128
-        acl whitelist dstdomain "$RUNNER_TEMP/whitelist.txt"
-        acl localhost src 127.0.0.1/32
-        http_access allow localhost whitelist
-        http_access deny all
-        cache deny all
-        EOF
-
-        # Stop any existing squid instance and start with our config
-        sudo squid -k shutdown || true
-        sleep 2
-        sudo rm -f /run/squid.pid
-        sudo squid -N -d 1 &
-        sleep 5
-
-        # Set proxy environment variables
-        echo "http_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV
-        echo "https_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV
-        echo "HTTP_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV
-        echo "HTTPS_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV
-
    - name: Run Claude Code
      id: claude-code
      if: steps.prepare.outputs.contains_trigger == 'true'
--- a/examples/claude.yml
+++ b/examples/claude.yml
@@ -36,12 +36,3 @@ jobs:
          # Or use OAuth token instead:
          # claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
          timeout_minutes: "60"
-          # Optional: Restrict network access to specific domains only
-          # experimental_allowed_domains: |
-          #   .anthropic.com
-          #   .github.com
-          #   api.github.com
-          #   .githubusercontent.com
-          #   bun.sh
-          #   registry.npmjs.org
-          #   .blob.core.windows.net
--- a/src/entrypoints/prepare.ts
+++ b/src/entrypoints/prepare.ts
@@ -91,8 +91,7 @@ async function run() {
      githubToken,
      owner: context.repository.owner,
      repo: context.repository.repo,
-      branch: branchInfo.claudeBranch || branchInfo.currentBranch,
-      baseBranch: branchInfo.baseBranch,
+      branch: branchInfo.currentBranch,
      additionalMcpConfig,
      claudeCommentId: commentId.toString(),
      allowedTools: context.inputs.allowedTools,
--- a/src/mcp/github-file-ops-server.ts
+++ b/src/mcp/github-file-ops-server.ts
@@ -8,6 +8,7 @@ import { join } from "path";
 import fetch from "node-fetch";
 import { GITHUB_API_URL } from "../github/api/config";
 import { retryWithBackoff } from "../utils/retry";
+import { Octokit } from "@octokit/rest";

 type GitHubRef = {
  object: {
@@ -59,6 +60,12 @@ async function getOrCreateBranchRef(
  branch: string,
  githubToken: string,
 ): Promise<string> {
+  // Create Octokit instance
+  const octokit = new Octokit({
+    auth: githubToken,
+    baseUrl: GITHUB_API_URL,
+  });
+
  // Try to get the branch reference
  const refUrl = `${GITHUB_API_URL}/repos/${owner}/${repo}/git/refs/heads/${branch}`;
  const refResponse = await fetch(refUrl, {
@@ -78,7 +85,8 @@ async function getOrCreateBranchRef(
    throw new Error(`Failed to get branch reference: ${refResponse.status}`);
  }

-  const baseBranch = process.env.BASE_BRANCH!;
+  // Get base branch from environment or determine it
+  const baseBranch = process.env.BASE_BRANCH || "main";

  // Get the SHA of the base branch
  const baseRefUrl = `${GITHUB_API_URL}/repos/${owner}/${repo}/git/refs/heads/${baseBranch}`;
@@ -135,30 +143,19 @@ async function getOrCreateBranchRef(
    baseSha = baseRefData.object.sha;
  }

-  // Create the new branch using the same pattern as octokit
-  const createRefUrl = `${GITHUB_API_URL}/repos/${owner}/${repo}/git/refs`;
-  const createRefResponse = await fetch(createRefUrl, {
-    method: "POST",
-    headers: {
-      Accept: "application/vnd.github+json",
-      Authorization: `Bearer ${githubToken}`,
-      "X-GitHub-Api-Version": "2022-11-28",
-      "Content-Type": "application/json",
-    },
-    body: JSON.stringify({
+  // Create the new branch using Octokit
+  try {
+    await octokit.rest.git.createRef({
+      owner,
+      repo,
      ref: `refs/heads/${branch}`,
      sha: baseSha,
-    }),
    });
-
-  if (!createRefResponse.ok) {
-    const errorText = await createRefResponse.text();
-    throw new Error(
-      `Failed to create branch: ${createRefResponse.status} - ${errorText}`,
-    );
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : String(error);
+    throw new Error(`Failed to create branch: ${errorMessage}`);
  }

-  console.log(`Successfully created branch ${branch}`);
  return baseSha;
 }

@@ -565,7 +562,6 @@ server.tool(

            // Only retry on 403 errors - these are the intermittent failures we're targeting
            if (updateRefResponse.status === 403) {
-              console.log("Received 403 error, will retry...");
              throw error;
            }

--- a/src/mcp/install-mcp-server.ts
+++ b/src/mcp/install-mcp-server.ts
@@ -8,7 +8,6 @@ type PrepareConfigParams = {
  owner: string;
  repo: string;
  branch: string;
-  baseBranch: string;
  additionalMcpConfig?: string;
  claudeCommentId?: string;
  allowedTools: string[];
@@ -55,7 +54,6 @@ export async function prepareMcpConfig(
    owner,
    repo,
    branch,
-    baseBranch,
    additionalMcpConfig,
    claudeCommentId,
    allowedTools,
@@ -102,7 +100,7 @@ export async function prepareMcpConfig(
          REPO_OWNER: owner,
          REPO_NAME: repo,
          BRANCH_NAME: branch,
-          BASE_BRANCH: baseBranch,
+          BASE_BRANCH: process.env.BASE_BRANCH || "",
          REPO_DIR: process.env.GITHUB_WORKSPACE || process.cwd(),
          GITHUB_EVENT_NAME: process.env.GITHUB_EVENT_NAME || "",
          IS_PR: process.env.IS_PR || "false",
--- a/test/install-mcp-server.test.ts
+++ b/test/install-mcp-server.test.ts
@@ -88,7 +88,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
-      baseBranch: "main",
      allowedTools: [],
      context: mockContext,
    });
@@ -119,7 +118,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
-      baseBranch: "main",
      allowedTools: [],
      context: contextWithSigning,
    });
@@ -145,7 +143,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
-      baseBranch: "main",
      allowedTools: [
        "mcp__github__create_issue",
        "mcp__github_file_ops__commit_files",
@@ -177,7 +174,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
-      baseBranch: "main",
      allowedTools: [
        "mcp__github_file_ops__commit_files",
        "mcp__github_file_ops__update_claude_comment",
@@ -197,7 +193,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
-      baseBranch: "main",
      allowedTools: ["Edit", "Read", "Write"],
      context: mockContext,
    });
@@ -215,7 +210,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
-      baseBranch: "main",
      additionalMcpConfig: "",
      allowedTools: [],
      context: mockContext,
@@ -234,7 +228,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
-      baseBranch: "main",
      additionalMcpConfig: "   \n\t  ",
      allowedTools: [],
      context: mockContext,
@@ -265,7 +258,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
-      baseBranch: "main",
      additionalMcpConfig: additionalConfig,
      allowedTools: [
        "mcp__github__create_issue",
@@ -304,7 +296,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
-      baseBranch: "main",
      additionalMcpConfig: additionalConfig,
      allowedTools: [
        "mcp__github__create_issue",
@@ -346,7 +337,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
-      baseBranch: "main",
      additionalMcpConfig: additionalConfig,
      allowedTools: [],
      context: mockContextWithSigning,
@@ -367,7 +357,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
-      baseBranch: "main",
      additionalMcpConfig: invalidJson,
      allowedTools: [],
      context: mockContextWithSigning,
@@ -389,7 +378,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
-      baseBranch: "main",
      additionalMcpConfig: nonObjectJson,
      allowedTools: [],
      context: mockContextWithSigning,
@@ -414,7 +402,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
-      baseBranch: "main",
      additionalMcpConfig: nullJson,
      allowedTools: [],
      context: mockContextWithSigning,
@@ -439,7 +426,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
-      baseBranch: "main",
      additionalMcpConfig: arrayJson,
      allowedTools: [],
      context: mockContextWithSigning,
@@ -487,7 +473,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
-      baseBranch: "main",
      additionalMcpConfig: additionalConfig,
      allowedTools: [],
      context: mockContextWithSigning,
@@ -511,7 +496,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
-      baseBranch: "main",
      allowedTools: [],
      context: mockContextWithSigning,
    });
@@ -533,7 +517,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
-      baseBranch: "main",
      allowedTools: [],
      context: mockContextWithSigning,
    });
@@ -562,7 +545,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
-      baseBranch: "main",
      allowedTools: [],
      context: contextWithPermissions,
    });
@@ -582,7 +564,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
-      baseBranch: "main",
      allowedTools: [],
      context: mockContextWithSigning,
    });
@@ -601,7 +582,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
-      baseBranch: "main",
      allowedTools: [],
      context: mockPRContextWithSigning,
    });
@@ -633,7 +613,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
-      baseBranch: "main",
      allowedTools: [],
      context: contextWithPermissions,
    });
@@ -662,7 +641,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
-      baseBranch: "main",
      allowedTools: [],
      context: contextWithPermissions,
    });