anthropics/claude-code-action
1
0
Fork 0
mirror of https://github.com/anthropics/claude-code-action.git synced 2026-01-22 22:44:13 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
ashwin/testid
claude-code-action/docs/security.md
Ashwin Bhat 0d9513b3b3 refactor: restructure documentation into organized docs directory (#383) 
- Move FAQ.md to docs/faq.md
- Create structured documentation files:
  - setup.md: Manual setup and custom GitHub app instructions
  - usage.md: Basic usage and workflow configuration
  - custom-automations.md: Automation examples
  - configuration.md: MCP servers and advanced settings
  - experimental.md: Execution modes and network restrictions
  - cloud-providers.md: AWS Bedrock and Google Vertex setup
  - capabilities-and-limitations.md: Features and constraints
  - security.md: Security information
- Condense README.md to overview with links to detailed docs
- Keep CONTRIBUTING.md, SECURITY.md, CODE_OF_CONDUCT.md at top level
2025-08-03 21:16:50 -07:00

39 lines
1.6 KiB
Markdown
Raw Permalink Blame History

# Security
## Access Control
- **Repository Access**: The action can only be triggered by users with write access to the repository
- **No Bot Triggers**: GitHub Apps and bots cannot trigger this action
- **Token Permissions**: The GitHub app receives only a short-lived token scoped specifically to the repository it's operating in
- **No Cross-Repository Access**: Each action invocation is limited to the repository where it was triggered
- **Limited Scope**: The token cannot access other repositories or perform actions beyond the configured permissions
## GitHub App Permissions
The [Claude Code GitHub app](https://github.com/apps/claude) requires these permissions:
- **Pull Requests**: Read and write to create PRs and push changes
- **Issues**: Read and write to respond to issues
- **Contents**: Read and write to modify repository files
## Commit Signing
All commits made by Claude through this action are automatically signed with commit signatures. This ensures the authenticity and integrity of commits, providing a verifiable trail of changes made by the action.
## ⚠️ Authentication Protection
**CRITICAL: Never hardcode your Anthropic API key or OAuth token in workflow files!**
Your authentication credentials must always be stored in GitHub secrets to prevent unauthorized access:
```yaml
# CORRECT ✅
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
# OR
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
# NEVER DO THIS ❌
anthropic_api_key: "sk-ant-api03-..." # Exposed and vulnerable!
claude_code_oauth_token: "oauth_token_..." # Exposed and vulnerable!
```
Reference in New Issue View Git Blame Copy Permalink