ci: Restrict who can run Claude workflows

qmonnet · qmonnet · commit e1e7f0169878 · 2025-10-15T12:25:26.000+01:00
Use guardrails to restrict who can run Claude-related workflows. - For code reviews, only run the workflow if the author of the Pull Request is from the owning organisation, or the owner, or a GitHub collaborator for the repository. - For @claude comments in Issue comments and descriptions or Pull Request review comments, restrict the workflow to commenters with the same association (member, owner, or collaborator). Link: https://docs.github.com/en/graphql/reference/enums#commentauthorassociation Link: https://docs.github.com/en/webhooks/webhook-events-and-payloads Signed-off-by: Quentin Monnet <qmo@qmon.net>
diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
@@ -12,11 +12,14 @@ on:
 
 jobs:
   claude-review:
-    # Optional: Filter by PR author
-    # if: |
-    #   github.event.pull_request.user.login == 'external-contributor' ||
-    #   github.event.pull_request.user.login == 'new-developer' ||
-    #   github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
+    # Filter by Pull Request author:
+    # - MEMBER: Author is a member of the organization that owns the repository.
+    # - OWNER: Author is the owner of the repository.
+    # - COLLABORATOR: Author has been invited to collaborate on the repository.
+    if: |
+      github.event.pull_request.author_association == 'MEMBER' ||
+      github.event.pull_request.author_association == 'OWNER' ||
+      github.event.pull_request.author_association == 'COLLABORATOR'
 
     runs-on: ubuntu-latest
     permissions:
diff --git a/.github/workflows/claude-conversations.yml b/.github/workflows/claude-conversations.yml
@@ -12,11 +12,35 @@ on:
 
 jobs:
   claude:
+    # Filter by comment/review/issue author:
+    # - MEMBER: Author is a member of the organization that owns the repository.
+    # - OWNER: Author is the owner of the repository.
+    # - COLLABORATOR: Author has been invited to collaborate on the repository.
     if: |
-      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
-      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+      (github.event_name == 'issue_comment' &&
+       (github.event.comment.author_association == 'MEMBER' ||
+        github.event.comment.author_association == 'OWNER' ||
+        github.event.comment.author_association == 'COLLABORATOR') &&
+       contains(github.event.comment.body, '@claude')) ||
+
+      (github.event_name == 'pull_request_review_comment' &&
+       (github.event.comment.author_association == 'MEMBER' ||
+        github.event.comment.author_association == 'OWNER' ||
+        github.event.comment.author_association == 'COLLABORATOR') &&
+       contains(github.event.comment.body, '@claude')) ||
+
+      (github.event_name == 'pull_request_review' &&
+       (github.event.review.author_association == 'MEMBER' ||
+        github.event.review.author_association == 'OWNER' ||
+        github.event.review.author_association == 'COLLABORATOR') &&
+       contains(github.event.review.body, '@claude')) ||
+
+      (github.event_name == 'issues' &&
+       (github.event.issue.author_association == 'MEMBER' ||
+        github.event.issue.author_association == 'OWNER' ||
+        github.event.issue.author_association == 'COLLABORATOR') &&
+       (contains(github.event.issue.body, '@claude') ||
+        contains(github.event.issue.title, '@claude')))
     runs-on: ubuntu-latest
     permissions:
       contents: read
