Problem
The workflow generated by /install-github-app and the example in docs/usage.md do not include an author_association filter or a sender.type != 'Bot' guard in the if: condition. This causes two issues:
-
Self-trigger loop : The agent's reply comment can contain @claude, re-triggering the workflow indefinitely.
-
Denial-of-wallet surface: On public repos, any user can comment @claude to trigger the workflow. The action's internal checkWritePermissions gate (in src/github/validation/permissions.ts) blocks non-collaborators from write actions, but the workflow still runs and may consume API tokens before that gate fires at the tool-execution layer.
Current pattern (from docs/usage.md)
The docs/usage.md example does not even include an if: condition:
name: Claude Assistant
on:
issue_comment:
types: [created]
jobs:
claude-response:
runs-on: ubuntu-latest
steps:
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
The /install-github-app generated workflow adds a content check but no actor filter:
if: |
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || ...
Suggested addition
if: |
contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) &&
github.event.sender.type != 'Bot' &&
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || ...
This prevents both self-trigger loops (bot comments are excluded) and non-collaborator triggers (only OWNER/MEMBER/COLLABORATOR can invoke).
Problem
The workflow generated by
/install-github-appand the example indocs/usage.mddo not include anauthor_associationfilter or asender.type != 'Bot'guard in theif:condition. This causes two issues:Self-trigger loop : The agent's reply comment can contain
@claude, re-triggering the workflow indefinitely.Denial-of-wallet surface: On public repos, any user can comment
@claudeto trigger the workflow. The action's internalcheckWritePermissionsgate (insrc/github/validation/permissions.ts) blocks non-collaborators from write actions, but the workflow still runs and may consume API tokens before that gate fires at the tool-execution layer.Current pattern (from
docs/usage.md)The
docs/usage.mdexample does not even include anif:condition:The
/install-github-appgenerated workflow adds a content check but no actor filter:Suggested addition
This prevents both self-trigger loops (bot comments are excluded) and non-collaborator triggers (only OWNER/MEMBER/COLLABORATOR can invoke).