You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Restrict the Claude (@claude) workflow to OWNER/MEMBER/COLLABORATOR so external users cannot trigger it on the public repo (protects the OAuth token quota).
Overall: LGTM. This is a solid, minimal security hardening change. The author_association gate is applied consistently across all four trigger paths, and the allow-list (OWNER, MEMBER, COLLABORATOR) correctly excludes untrusted actors (CONTRIBUTOR, FIRST_TIME_CONTRIBUTOR, NONE), which achieves the stated goal of protecting the OAuth token quota on the public repo.
What's correct
Consistent coverage — each event branch (issue_comment, pull_request_review_comment, pull_request_review, issues) uses the matching association field (comment.author_association, review.author_association, issue.author_association). No path is left ungated. ✅
Correct allow-list semantics — author_association is computed by GitHub server-side from the actor's real permission on the repo, so it can't be spoofed by the comment author. Using an explicit allow-list (rather than a deny-list) is the safer choice. ✅
Read-only permissions — the job keeps least-privilege read scopes, so even a bypass wouldn't grant write. ✅
author_association reflects repo permission, not org membership nuance. For a public repo this is exactly what you want. Just note that MEMBER means "member of the org that owns the repo" — if the org has broad membership, anyone in the org can still trigger. If you want to tighten further later, you could drop to OWNER/COLLABORATOR only. Not needed for this PR.
Re-trigger via assigned events. The issues: [opened, assigned] trigger gates on issue.author_association — the issue author's association, not the assigner's. This is fine given the current if also requires @claude in the body/title, but worth keeping in mind: a trusted user opening an issue with @claude sets author_association to that trusted user, which is the intended behavior.
pull_request_review_comment from forks. GitHub only sends this event to the base repo with base-repo secrets when the actor has the appropriate association, and your gate re-checks it — good defense in depth.
Security note on the broader pattern
Because these workflows run on issue_comment / pull_request_review (which execute in the base repo context with access to secrets), gating on author_association is the right primary control. The change does not check out or execute PR-head code in a privileged step, so there's no obvious pwn-request surface introduced here.
No changes requested — this is ready to merge.
• Branch: ci/gate-claude-trigger
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Restrict the Claude (@claude) workflow to OWNER/MEMBER/COLLABORATOR so external users cannot trigger it on the public repo (protects the OAuth token quota).