From 21b6809277c3b809fa415b6b227f76582c6facf4 Mon Sep 17 00:00:00 2001 From: LUIS NOVO Date: Tue, 13 Jan 2026 18:47:36 -0300 Subject: [PATCH] security: add persist-credentials false to checkout step Prevent GITHUB_TOKEN from being stored in .git/config when checking out PR code in pull_request_target workflows. This is a security best practice to prevent untrusted code from potentially accessing stored credentials. While the Claude Code action doesn't execute arbitrary PR code, this follows defense-in-depth security principles to minimize attack surface when handling untrusted code from forks. --- .github/workflows/claude-code-review.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml index f46ed0a..e049561 100644 --- a/.github/workflows/claude-code-review.yml +++ b/.github/workflows/claude-code-review.yml @@ -33,6 +33,7 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 1 + persist-credentials: false - name: Run Claude Code Review id: claude-review