Skip to content

Harden claude-auto-fix-ci.yml workflow permissions #1180

Description

@kunal12203

The "claude-auto-fix-ci.yml" workflow has a few areas to tighten up for defense in depth:

  • Branch name from github.event.workflow_run.head_branch is passed verbatim into Claude's prompt, it should be sanitized/quoted before injection
  • --allowedTools "Bash(*)" is overly broad, replace with a specific tool allowlist
  • "SUPERMEMORY_API_KEY" in the MCP config has full org permissions; consider a scoped read-only key for CI use

Note: Overall risk is low because fork PRs require maintainer approval before the workflow runs (an "action_required" conclusion), so external contributors cannot trigger it automatically. These are hardening improvements for the case in which an internal contributor's branch name is maliciously crafted.

Suggested fixes:

  1. Sanitize branch name before passing to prompt: strip special characters
  2. Replace "Bash(*)" with specific commands the workflow actually needs
  3. Generate a scoped API key (read-only, specific containerTags) for CI

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions