mirror of
https://github.com/anthropics/claude-code-action.git
synced 2026-01-23 06:54:13 +08:00
fec554fc7c
* feat: skip permission check for GitHub App bot users GitHub Apps (users ending with [bot]) now bypass permission checks as they have their own authorization mechanism. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * feat: add allow_bot_users option to control bot user access - Add allow_bot_users input parameter (default: false) - Modify checkHumanActor to optionally allow bot users - Add comprehensive tests for bot user handling - Improve security by blocking bot users by default This change prevents potential prompt injection attacks from bot users while providing flexibility for trusted bot integrations. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * docs: mark bot user support feature as completed in roadmap 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * refactor: move allowedBots parameter to context object Move allowedBots from function parameter to context.inputs to maintain consistency with other input handling throughout the codebase. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * docs: update README for bot user support feature Add documentation for the new allowed_bots parameter that enables bot users to trigger Claude actions with granular control. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: add missing allowedBots property in permissions test 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: update bot name format to include [bot] suffix in tests and docs - Update test cases to use correct bot actor names with [bot] suffix - Update documentation example to show correct bot name format - Align with GitHub's actual bot naming convention 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * feat: normalize bot names for allowed_bots validation - Strip [bot] suffix from both actor names and allowed bot list for comparison - Allow both "dependabot" and "dependabot[bot]" formats in allowed_bots input - Display normalized bot names in error messages for consistency - Add comprehensive test coverage for both naming formats 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
48 lines
1.5 KiB
TypeScript
48 lines
1.5 KiB
TypeScript
import * as core from "@actions/core";
|
|
import type { ParsedGitHubContext } from "../context";
|
|
import type { Octokit } from "@octokit/rest";
|
|
|
|
/**
|
|
* Check if the actor has write permissions to the repository
|
|
* @param octokit - The Octokit REST client
|
|
* @param context - The GitHub context
|
|
* @returns true if the actor has write permissions, false otherwise
|
|
*/
|
|
export async function checkWritePermissions(
|
|
octokit: Octokit,
|
|
context: ParsedGitHubContext,
|
|
): Promise<boolean> {
|
|
const { repository, actor } = context;
|
|
|
|
try {
|
|
core.info(`Checking permissions for actor: ${actor}`);
|
|
|
|
// Check if the actor is a GitHub App (bot user)
|
|
if (actor.endsWith("[bot]")) {
|
|
core.info(`Actor is a GitHub App: ${actor}`);
|
|
return true;
|
|
}
|
|
|
|
// Check permissions directly using the permission endpoint
|
|
const response = await octokit.repos.getCollaboratorPermissionLevel({
|
|
owner: repository.owner,
|
|
repo: repository.repo,
|
|
username: actor,
|
|
});
|
|
|
|
const permissionLevel = response.data.permission;
|
|
core.info(`Permission level retrieved: ${permissionLevel}`);
|
|
|
|
if (permissionLevel === "admin" || permissionLevel === "write") {
|
|
core.info(`Actor has write access: ${permissionLevel}`);
|
|
return true;
|
|
} else {
|
|
core.warning(`Actor has insufficient permissions: ${permissionLevel}`);
|
|
return false;
|
|
}
|
|
} catch (error) {
|
|
core.error(`Failed to check permissions: ${error}`);
|
|
throw new Error(`Failed to check permissions for ${actor}: ${error}`);
|
|
}
|
|
}
|