Skip to content

ci: pin claude-code-action to SHA + restrict contextualize to same-repo PRs (CodeQL)#33

Open
jhamon wants to merge 1 commit into
mainfrom
security/ci-actions-hygiene
Open

ci: pin claude-code-action to SHA + restrict contextualize to same-repo PRs (CodeQL)#33
jhamon wants to merge 1 commit into
mainfrom
security/ci-actions-hygiene

Conversation

@jhamon

@jhamon jhamon commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

What

Addresses the 4 CI/Actions-hygiene CodeQL alerts.

actions/unpinned-tag (2)

Pin anthropics/claude-code-action@v1@e90deca # v1.0.171 in both contextualize-skills.yml and claude.yml.

actions/untrusted-checkout/medium (2, both on contextualize-skills.yml)

This job is privileged: it checks out the PR head and runs Claude Code over that content with the ANTHROPIC_API_KEY secret, contents: write, and pull-requests: write (and pushes commits back). "Dismiss — never runs with secrets" does not apply.

Hardening: added an explicit same-repo guard to the job condition:

if: >-
  github.event.pull_request.head.repo.full_name == github.repository &&
  startsWith(github.head_ref, 'sync/skills-')

A fork PR can now never reach this secret-bearing, write-capable path. Combined with the pre-existing sync/skills- branch-name filter, only the internal skills-sync automation — which pushes sync/skills-* branches directly to this repo (requiring write access) — can trigger it.

With that compensating control, the 2 untrusted-checkout alerts are dismissed as "won't fix", referencing this PR.

claude.yml was already least-privilege (contents: read, gated on author_association ∈ OWNER/MEMBER/COLLABORATOR) — it needed only the SHA pin.

Verification

  • Both files parse; job if/permissions confirmed; both action refs pinned to SHA.

Refs PIN-24.

…po PRs (CodeQL)

- Pin anthropics/claude-code-action@v1 -> @e90deca # v1.0.171 in both
  contextualize-skills.yml and claude.yml. Fixes 2x actions/unpinned-tag.
- Harden contextualize-skills against actions/untrusted-checkout: the job
  checks out the PR head and runs Claude Code over it WITH the
  ANTHROPIC_API_KEY secret, contents: write, and pull-requests: write, then
  pushes commits back. Add an explicit
  `head.repo.full_name == github.repository` guard so a fork PR can never
  reach this privileged, secret-bearing path. Combined with the existing
  sync/skills- branch filter, only the internal skills-sync automation
  triggers it.

claude.yml was already least-privilege (contents: read; gated on
author_association OWNER/MEMBER/COLLABORATOR) and needed only the pin.

The 2 untrusted-checkout alerts are dismissed (won't fix) with this
compensating control as the documented reason. Refs PIN-24.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant