Skip to content

fix: allow claude to have write permission #3202

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tac0turtle wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: allow claude to have write permission #3202

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .github/workflows/claude.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,9 @@ jobs:
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
issues: read
contents: write
pull-requests: write
Copy link
Member

@julienrbrt julienrbrt Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can someone trick claude to override prs then?

issues: write
Comment on lines +22 to +24
Copy link
Contributor

@coderabbitai coderabbitai bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "1) Inspect trigger + permission surface in claude workflow"
nl -ba .github/workflows/claude.yml | sed -n '1,90p'

echo
echo "2) Check for explicit trust gating signals"
rg -n 'author_association|github\.actor|OWNER|MEMBER|COLLABORATOR' .github/workflows/claude.yml || true

echo
echo "3) Compare with read-only baseline workflow using same action"
nl -ba .github/workflows/claude-code-review.yml | sed -n '30,70p'

Repository: evstack/ev-node

Length of output: 177

🏁 Script executed:

#!/bin/bash

echo "1) Inspect trigger + permission surface in claude workflow (lines 1-90)"
cat -n .github/workflows/claude.yml | head -90

echo ""
echo "2) Check for explicit trust gating signals"
rg -n 'author_association|github\.actor|OWNER|MEMBER|COLLABORATOR' .github/workflows/claude.yml || echo "No trust gating found"

echo ""
echo "3) Compare with read-only baseline workflow (lines 30-70)"
if [ -f .github/workflows/claude-code-review.yml ]; then
  cat -n .github/workflows/claude-code-review.yml | sed -n '30,70p'
else
  echo "claude-code-review.yml not found"
fi

echo ""
echo "4) Get file stats to understand size"
wc -l .github/workflows/claude.yml

Repository: evstack/ev-node

Length of output: 5538

🏁 Script executed:

#!/bin/bash

echo "Searching for permissions in claude-code-review.yml"
grep -n "permissions:" .github/workflows/claude-code-review.yml -A 10

echo ""
echo "Full workflow file size:"
wc -l .github/workflows/claude-code-review.yml

Repository: evstack/ev-node

Length of output: 441

Limit write scopes to trusted invocations—current trigger surface allows any user with comment access.

contents: write, pull-requests: write, and issues: write permissions are granted to a job triggered by user-generated comment and issue events (@claude). The job condition (lines 15-19) checks only for the @claude mention with no author association guard, meaning any user with access to comment on issues or PRs can invoke this workflow with full write permissions. In contrast, .github/workflows/claude-code-review.yml uses read-only scopes for the same action.

Add an author_association check to restrict to repository members:

Suggested hardening 
 jobs:
   claude:
     if: |
+      contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'),
+        github.event.comment.author_association || github.event.review.author_association || github.event.issue.author_association) &&
       (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
       (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
       (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
       (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
     runs-on: ubuntu-latest
     permissions:
-      contents: write
-      pull-requests: write
-      issues: write
+      contents: read
+      pull-requests: read
+      issues: read
       id-token: write
       actions: read
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude.yml around lines 22 - 24, The workflow grants write
permissions (contents: write, pull-requests: write, issues: write) to a job
triggered by user comments, but lacks an author_association guard so any
commenter can invoke it; update the workflow condition that detects the `@claude`
mention to also require the comment author's association (e.g., check
github.event.comment.author_association is one of "MEMBER","COLLABORATOR" or
"OWNER") before granting those write-scoped permissions and running the job
(modify the existing mention check block that gates the job to include this
author_association check).

id-token: write
actions: read # Required for Claude to read CI results on PRs
steps:
Expand Down
Loading