GitHub-Bitwarden
/
gh-actions
mirror of https://github.com/bitwarden/gh-actions.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Restrict code review agent from approving or rejecting PRs 

Changed agent tool declaration from `Bash(gh pr review:*)` to
`Bash(gh pr review:--comment*)` to explicitly prevent the agent
from executing PR approval or rejection operations.

This closes a permission gap where the wildcard pattern technically
allowed `--approve` and `--request-changes` flags, though the agent
was never instructed to use them. The agent retains full ability to
post inline review comments and summary comments.

Security hardening following principle of least privilege.
pull/521/head
Patrick Honkonen 2 days ago
parent
be0aa87826
commit
4fca53c9c1
No known key found for this signature in database
GPG Key ID: 27C65CF8B03CC9FB
1 changed files with 1 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      .github/workflows/_review-code.yml

2
.github/workflows/_review-code.yml
Unescape View File

@ -137,4 +137,4 @@ jobs: @@ -137,4 +137,4 @@ jobs:
Do not add excessive praise or commentary to findings.
claude_args: |
--verbose
--allowedTools "Read,Grep,Glob,Bash(git diff:*),Bash(git log:*),Bash(git show:*),Bash(gh pr view:*),Bash(gh pr diff:*),Bash(gh pr review:*),Bash(gh pr comment:*),mcp__github_comment__update_claude_comment,mcp__github_inline_comment__create_inline_comment"
--allowedTools "Read,Grep,Glob,Bash(git diff:*),Bash(git log:*),Bash(git show:*),Bash(gh pr view:*),Bash(gh pr diff:*),Bash(gh pr review:--comment*),Bash(gh pr comment:*),mcp__github_comment__update_claude_comment,mcp__github_inline_comment__create_inline_comment"

Write Preview
Loading…
Cancel
Save