Northern_Lights/cherry-studio
1
0
Fork 0
mirror of https://github.com/CherryHQ/cherry-studio.git synced 2025-12-19 14:41:24 +08:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

ci(github-actions): update workflow permissions for claude-translator (#10080)

Browse Source 
Update pull-requests permission from read to write and add allowed_non_write_users config
Add security warning comment about fine-grained token control
This commit is contained in:
Phantom 2025-09-10 23:27:15 +08:00 committed by GitHub
parent 125353c5a3
commit d6a320490a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.github/workflows/claude-translator.yml vendored
View File

@ -20,7 +20,7 @@ jobs:
permissions: permissions:
contents: read contents: read
issues: write # 编辑issues/comments issues: write # 编辑issues/comments
pull-requests: read pull-requests: write
id-token: write id-token: write
steps: steps:
@ -33,7 +33,11 @@ jobs:
uses: anthropics/claude-code-action@main uses: anthropics/claude-code-action@main
id: claude id: claude
with: with:
# Warning: Permissions should have been controlled by workflow permission.
# Now `contents: read` is safe for files, but we could make a fine-grained token to control it.
# See: https://github.com/anthropics/claude-code-action/blob/main/docs/security.md
github_token: ${{ secrets.TOKEN_GITHUB_WRITE }} github_token: ${{ secrets.TOKEN_GITHUB_WRITE }}
allowed_non_write_users: '*'
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
claude_args: '--allowed-tools Bash(gh issue:*),Bash(gh api:repos/*/issues:*)' claude_args: '--allowed-tools Bash(gh issue:*),Bash(gh api:repos/*/issues:*)'
prompt: | prompt: |