@@ -5,10 +5,13 @@ This guide helps you set up the Claude Code GitHub Actions workflow with model r
55## 🎯 Key Features
66
77- ** Model Restriction** : Forces ` claude-sonnet-4-20250514 ` (excludes premium Claude Opus 4)
8- - ** Usage Safeguards** : Token limits and file count restrictions
8+ - ** Security Hardened** : Input validation, command injection prevention, file sanitization
9+ - ** Token Validation** : OAuth token format validation with fallback authentication
10+ - ** Usage Safeguards** : Token limits (10k), file count limits (50), timeout protection
911- ** Multiple Triggers** : PRs, pushes, and manual dispatch
1012- ** Comprehensive Analysis** : Code review, security, optimization, testing, documentation
1113- ** Automatic PR Comments** : Results posted directly to pull requests
14+ - ** Error Handling** : Actionable error messages with troubleshooting guidance
1215
1316## 📋 Setup Requirements
1417
@@ -19,14 +22,18 @@ Add authentication secrets to GitHub repository (Settings → Secrets and variab
1922** Option 1: Claude Code OAuth Token (Recommended)**
20231 . Click ** New repository secret**
21242 . Name: ` CLAUDE_CODE_OAUTH_TOKEN `
22- 3 . Value: Your Claude Code OAuth token
25+ 3 . Value: Your Claude Code OAuth token (format: ` sk-ant-[alphanumeric] ` )
2326
2427** Option 2: Anthropic API Key (Fallback)**
25281 . Click ** New repository secret**
26292 . Name: ` ANTHROPIC_API_KEY `
27- 3 . Value: Your subscription-based Anthropic API key
30+ 3 . Value: Your subscription-based Anthropic API key (format: ` sk-ant-[alphanumeric] ` )
2831
29- ** Note** : The workflow will use ` CLAUDE_CODE_OAUTH_TOKEN ` if available, otherwise fall back to ` ANTHROPIC_API_KEY ` .
32+ ** Security Features:**
33+ - ** Token Format Validation** : Both tokens are validated for proper format
34+ - ** Fallback Authentication** : Automatically uses API key if OAuth token is unavailable
35+ - ** Clear Error Messages** : Detailed setup instructions provided on authentication failure
36+ - ** Get your token from** : https://console.anthropic.com/
3037
3138### 2. Verify Workflow File
3239
@@ -102,6 +109,8 @@ Ensure `.github/workflows/claude-code-integration.yml` exists in your repository
102109| -------| -------| ---------|
103110| Max tokens per run | 10,000 | Cost control |
104111| Max files per run | 50 | Performance |
112+ | File size per file | 10KB | Prevent huge prompts |
113+ | Analysis timeout | 300 seconds | Prevent hanging |
105114| Model restriction | ` claude-sonnet-4-20250514 ` | Exclude premium models |
106115
107116## 📊 Analysis Types
@@ -141,22 +150,37 @@ Ensure `.github/workflows/claude-code-integration.yml` exists in your repository
141150- Architecture documentation
142151- Missing documentation
143152
144- ## 🔒 Security Best Practices
145-
146- 1 . ** API Key Management**
147- - Use GitHub secrets (never commit keys)
148- - Use subscription-based keys only
149- - Rotate keys regularly
150-
151- 2 . ** Model Restrictions**
152- - Workflow enforces ` claude-sonnet-4-20250514 `
153- - Premium models (Opus 4) are excluded
154- - Usage monitoring tracks model usage
155-
156- 3 . ** Access Control**
157- - Workflow requires ` contents: read ` permission
158- - PR comments require ` pull-requests: write `
159- - No write access to repository code
153+ ## 🔒 Security Features
154+
155+ ### Input Validation & Sanitization
156+ - ** Command Injection Prevention** : All user inputs are validated and sanitized
157+ - ** File Path Sanitization** : File paths are validated against safe patterns
158+ - ** SHA Validation** : Git SHAs are validated for proper format
159+ - ** Token Format Validation** : Authentication tokens are validated for proper format
160+
161+ ### File Security
162+ - ** File Existence Checks** : All files are verified to exist before processing
163+ - ** Path Traversal Prevention** : Directory traversal attempts are blocked
164+ - ** File Size Limits** : Individual files limited to 10KB to prevent huge prompts
165+ - ** Safe File Patterns** : Only files matching safe patterns are processed
166+
167+ ### Runtime Security
168+ - ** Timeout Protection** : Analysis operations timeout after 5 minutes
169+ - ** Error Handling** : Comprehensive error handling with actionable messages
170+ - ** Output Sanitization** : PR comments are sanitized to prevent injection
171+ - ** Strict Mode** : All bash scripts run with ` set -euo pipefail `
172+
173+ ### Authentication Security
174+ - ** Dual Authentication** : Primary OAuth token with API key fallback
175+ - ** Token Validation** : Format validation for both token types
176+ - ** Secure Storage** : All tokens stored in GitHub secrets
177+ - ** Clear Error Messages** : Detailed setup instructions on authentication failure
178+
179+ ### Usage Controls
180+ - ** Model Restriction** : Forces ` claude-sonnet-4-20250514 ` (excludes premium models)
181+ - ** Token Limits** : Maximum 10,000 tokens per run for cost control
182+ - ** File Limits** : Maximum 50 files per run for performance
183+ - ** Usage Monitoring** : All usage is logged for monitoring and cost tracking
160184
161185## 📈 Usage Monitoring
162186
0 commit comments