anthropics/claude-code-action
1
0
Fork 0
mirror of https://github.com/anthropics/claude-code-action.git synced 2026-01-22 22:44:13 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
e3a4ac69fe1d4e0e6dab15690895f5ee291b06e3
claude-code-action/docs/security.md
Ashwin Bhat 0d9513b3b3 refactor: restructure documentation into organized docs directory (#383) 
- Move FAQ.md to docs/faq.md
- Create structured documentation files:
  - setup.md: Manual setup and custom GitHub app instructions
  - usage.md: Basic usage and workflow configuration
  - custom-automations.md: Automation examples
  - configuration.md: MCP servers and advanced settings
  - experimental.md: Execution modes and network restrictions
  - cloud-providers.md: AWS Bedrock and Google Vertex setup
  - capabilities-and-limitations.md: Features and constraints
  - security.md: Security information
- Condense README.md to overview with links to detailed docs
- Keep CONTRIBUTING.md, SECURITY.md, CODE_OF_CONDUCT.md at top level
2025-08-03 21:16:50 -07:00

1.6 KiB
Raw Blame History

Security

Access Control

  • Repository Access: The action can only be triggered by users with write access to the repository
  • No Bot Triggers: GitHub Apps and bots cannot trigger this action
  • Token Permissions: The GitHub app receives only a short-lived token scoped specifically to the repository it's operating in
  • No Cross-Repository Access: Each action invocation is limited to the repository where it was triggered
  • Limited Scope: The token cannot access other repositories or perform actions beyond the configured permissions

GitHub App Permissions

The Claude Code GitHub app requires these permissions:

  • Pull Requests: Read and write to create PRs and push changes
  • Issues: Read and write to respond to issues
  • Contents: Read and write to modify repository files

Commit Signing

All commits made by Claude through this action are automatically signed with commit signatures. This ensures the authenticity and integrity of commits, providing a verifiable trail of changes made by the action.

⚠️ Authentication Protection

CRITICAL: Never hardcode your Anthropic API key or OAuth token in workflow files!

Your authentication credentials must always be stored in GitHub secrets to prevent unauthorized access:

# CORRECT ✅
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
# OR
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

# NEVER DO THIS ❌
anthropic_api_key: "sk-ant-api03-..." # Exposed and vulnerable!
claude_code_oauth_token: "oauth_token_..." # Exposed and vulnerable!
Reference in New Issue View Git Blame Copy Permalink