Skip to content

Commit d26ebef

Browse files
OctavianGuzuOctavianGuzu
committed
Let workflow/job env override the auto-set scrub flag
Env var takes priority so users can opt in/out via CLAUDE_CODE_SUBPROCESS_ENV_SCRUB at job or workflow level independently of allowed_non_write_users. :house: Remote-Dev: homespace
1 parent 169838b commit d26ebef

File tree

2 files changed

+2
-2
lines changed

2 files changed

+2
-2
lines changed

action.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -213,7 +213,7 @@ runs:
213213
OVERRIDE_GITHUB_TOKEN: ${{ inputs.github_token }}
214214
ALLOWED_BOTS: ${{ inputs.allowed_bots }}
215215
ALLOWED_NON_WRITE_USERS: ${{ inputs.allowed_non_write_users }}
216-
CLAUDE_CODE_SUBPROCESS_ENV_SCRUB: ${{ inputs.allowed_non_write_users != '' && '1' || env.CLAUDE_CODE_SUBPROCESS_ENV_SCRUB || '' }}
216+
CLAUDE_CODE_SUBPROCESS_ENV_SCRUB: ${{ env.CLAUDE_CODE_SUBPROCESS_ENV_SCRUB || (inputs.allowed_non_write_users != '' && '1') || '' }}
217217
INCLUDE_COMMENTS_BY_ACTOR: ${{ inputs.include_comments_by_actor }}
218218
EXCLUDE_COMMENTS_BY_ACTOR: ${{ inputs.exclude_comments_by_actor }}
219219
GITHUB_RUN_ID: ${{ github.run_id }}

docs/security.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@
1313
- Accepts either a comma-separated list of specific usernames or `*` to allow all users
1414
- **Should be used with extreme caution** as it bypasses the primary security mechanism of this action
1515
- Is designed for automation workflows where user permissions are already restricted by the workflow's permission scope
16-
- When set, Claude does a best-effort scrub of Anthropic, cloud, and GitHub Actions secrets from subprocess environments. This reduces but does not eliminate prompt injection risk — keep workflow permissions minimal and validate all outputs.
16+
- When set, Claude does a best-effort scrub of Anthropic, cloud, and GitHub Actions secrets from subprocess environments. This reduces but does not eliminate prompt injection risk — keep workflow permissions minimal and validate all outputs. Set `CLAUDE_CODE_SUBPROCESS_ENV_SCRUB: 0` in your workflow or job `env:` block to opt out.
1717
- **Token Permissions**: The GitHub app receives only a short-lived token scoped specifically to the repository it's operating in
1818
- **No Cross-Repository Access**: Each action invocation is limited to the repository where it was triggered
1919
- **Limited Scope**: The token cannot access other repositories or perform actions beyond the configured permissions

0 commit comments

Comments
 (0)