Spaces:
Running on CPU Upgrade
Running on CPU Upgrade
Aksel Joonas Reedi commited on
Run Claude review for external PRs safely (#123)
Browse files
.github/workflows/claude-review.yml
CHANGED
|
@@ -1,8 +1,8 @@
|
|
| 1 |
name: Claude PR Review
|
| 2 |
|
| 3 |
on:
|
| 4 |
-
|
| 5 |
-
types: [opened, synchronize, ready_for_review]
|
| 6 |
|
| 7 |
permissions:
|
| 8 |
contents: read
|
|
@@ -22,6 +22,10 @@ jobs:
|
|
| 22 |
- uses: actions/checkout@v4
|
| 23 |
with:
|
| 24 |
fetch-depth: 0
|
|
|
|
|
|
|
|
|
|
|
|
|
| 25 |
|
| 26 |
- name: Compose review prompt
|
| 27 |
id: compose
|
|
|
|
| 1 |
name: Claude PR Review
|
| 2 |
|
| 3 |
on:
|
| 4 |
+
pull_request_target:
|
| 5 |
+
types: [opened, synchronize, ready_for_review, reopened]
|
| 6 |
|
| 7 |
permissions:
|
| 8 |
contents: read
|
|
|
|
| 22 |
- uses: actions/checkout@v4
|
| 23 |
with:
|
| 24 |
fetch-depth: 0
|
| 25 |
+
# On pull_request_target, keep checkout on the trusted base-repo ref.
|
| 26 |
+
# The Claude action can review the PR via GitHub context/API without
|
| 27 |
+
# executing untrusted fork code with repository secrets.
|
| 28 |
+
persist-credentials: false
|
| 29 |
|
| 30 |
- name: Compose review prompt
|
| 31 |
id: compose
|