fix(security): add SSRF protection to URL validation #1814
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Claude Code | |
| on: | |
| issue_comment: | |
| types: [created] | |
| pull_request_review_comment: | |
| types: [created] | |
| issues: | |
| types: [opened, assigned] | |
| pull_request_review: | |
| types: [submitted] | |
| jobs: | |
| claude: | |
| if: | | |
| ( | |
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | |
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) | |
| ) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| issues: read | |
| id-token: write | |
| actions: read | |
| steps: | |
| - name: Get PR details | |
| if: | | |
| (github.event_name == 'issue_comment' && github.event.issue.pull_request) || | |
| github.event_name == 'pull_request_review_comment' || | |
| github.event_name == 'pull_request_review' | |
| id: pr | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| let prNumber; | |
| if (context.eventName === 'issue_comment') { | |
| prNumber = context.issue.number; | |
| } else { | |
| prNumber = context.payload.pull_request.number; | |
| } | |
| const pr = await github.rest.pulls.get({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| pull_number: prNumber | |
| }); | |
| core.setOutput('sha', pr.data.head.sha); | |
| core.setOutput('repo', pr.data.head.repo.full_name); | |
| - name: Checkout PR branch | |
| if: steps.pr.outcome == 'success' | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ steps.pr.outputs.sha }} | |
| repository: ${{ steps.pr.outputs.repo }} | |
| fetch-depth: 0 | |
| - name: Checkout repository | |
| if: steps.pr.outcome != 'success' | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run Claude Code | |
| id: claude | |
| uses: anthropics/claude-code-action@v1 | |
| with: | |
| anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} | |
| # Allow Claude to read CI results on PRs | |
| additional_permissions: | | |
| actions: read | |
| # Trigger when assigned to an issue | |
| assignee_trigger: "claude" | |
| claude_args: | | |
| --allowedTools Bash | |
| --system-prompt "If posting a comment to GitHub, give a concise summary of the comment at the top and put all the details in a <details> block." |