Skip to content

fix: security, CI, and quality issues across repo#30079

Open
suhail-ak-2 wants to merge 1 commit intoanthropics:mainfrom
suhail-ak-2:fix/repo-issues-audit
Open

fix: security, CI, and quality issues across repo#30079
suhail-ak-2 wants to merge 1 commit intoanthropics:mainfrom
suhail-ak-2:fix/repo-issues-audit

Conversation

@suhail-ak-2
Copy link

@suhail-ak-2 suhail-ak-2 commented Mar 2, 2026

Summary

Comprehensive audit and fix of security, CI/CD, code quality, and documentation issues across the repository. 39 files changed covering 15 distinct issues.

🔴 Security Fixes

1. JSON injection in log-issue-events.yml

The Statsig logging workflow constructed JSON via shell string interpolation, which is vulnerable to injection via issue titles containing quotes/special characters. Replaced with jq -n for safe JSON construction.

2. Removed unnecessary id-token: write from claude.yml

The @claude mention workflow only needs read permissions. The id-token: write scope was unnecessary and could allow OIDC token generation.

3. Pinned all GitHub Actions to commit SHAs

6 workflows used unpinned tags (@v4, @v2, @v7, @v1) which are vulnerable to tag-repointing attacks. All actions are now pinned to immutable commit SHAs with version comments:

  • actions/checkout34e114876b... # v4
  • oven-sh/setup-bun3d267786b... # v2
  • actions/github-scriptf28e40c7f... # v7
  • anthropics/claude-code-actionb35a222b7... # v1

🟠 CI/Workflow Fixes

4. Fixed invalid top-level description field in 3 workflows

auto-close-duplicates.yml, backfill-duplicate-comments.yml, and claude-dedupe-issues.yml had description: as a root-level key, which is not a valid GitHub Actions workflow field. Moved to comments.

5. Fixed event name mismatch in log-issue-events.yml

The workflow triggers on both opened and closed events but always logged github_issue_created. Now dynamically uses github_issue_opened or github_issue_closed based on the actual event action.

🟡 Code Quality Fixes

6. Made init-firewall.sh executable

Only .sh file in the repo missing the executable bit (was 644, all others are 755). The Dockerfile compensates with chmod +x, but source should be correct.

7. Standardized shebangs to #!/usr/bin/env bash

13 scripts used hardcoded #!/bin/bash; standardized to portable #!/usr/bin/env bash for compatibility with NixOS, non-standard containers, etc.

8. Fixed security_reminder_hook.py field name handling

extract_content_from_input() only checked new_string for Edit/MultiEdit tools. Now also checks new_text to avoid silently missing security patterns.

9. Added pagination to API calls in auto-close-duplicates.ts

Comments and reactions API calls had no per_page parameter, defaulting to GitHub's 30-item limit. Issues with 30+ comments could miss duplicate detection. Added per_page=100.

10. Added error messages to silent exits in gh.sh and edit-issue-labels.sh

Both scripts exited with code 1 on validation failures without any stderr output, making CI debugging very difficult. Added descriptive error messages for all failure paths.

🔵 Documentation Fixes

11. Normalized documentation URLs

Consolidated all docs.claude.com/en/docs/claude-code/... URLs to the canonical code.claude.com/docs/en/... domain used in the main README. Also fixed an outdated docs.anthropic.com URL in the hook example.

12. Fixed contradictory install instructions in plugins/README.md

Main README says npm install is deprecated, but plugins/README.md still recommended it. Updated to use the recommended curl / Homebrew methods.

13. Fixed typo in examples/settings/README.md

"Use these are starting points" → "Use these as starting points"

14. Expanded .gitignore

Was only .DS_Store. Added standard ignores for Node (node_modules/, dist/), Python (__pycache__/, *.pyc), environment files (.env), logs, and editor swap files.

Validation

All modified files pass syntax checks:

  • ✅ All JSON files valid (python3 -m json.tool)
  • ✅ All shell scripts valid (bash -n)
  • ✅ All Python files valid (py_compile)

@suhail-ak-2
fix: security, CI, and quality issues across repo
24d3c9c 
Security fixes:
- Fix JSON injection in log-issue-events.yml by using jq for safe payload construction
- Remove unnecessary id-token:write permission from claude.yml
- Pin all GitHub Actions to commit SHAs to prevent supply-chain attacks
- Fix event name mismatch: log correct event (opened/closed) instead of always 'created'

CI/Workflow fixes:
- Move invalid top-level 'description' field to comments in 3 workflow files
- Update actions/checkout SHA to latest v4 in claude.yml

Code quality fixes:
- Make .devcontainer/init-firewall.sh executable (was 644, all other .sh are 755)
- Standardize all shell shebangs to #!/usr/bin/env bash for portability
- Fix security_reminder_hook.py to check both new_string and new_text fields
- Add per_page=100 to comments/reactions API calls in auto-close-duplicates.ts
- Add descriptive error messages to silent exit 1 paths in gh.sh and edit-issue-labels.sh

Documentation fixes:
- Normalize all docs.claude.com URLs to code.claude.com (canonical domain)
- Fix outdated docs.anthropic.com URL in bash_command_validator_example.py
- Fix contradictory npm install instructions in plugins/README.md
- Fix typo 'Use these are' -> 'Use these as' in examples/settings/README.md
- Expand .gitignore with standard Node/Python/editor ignores
This was referenced Mar 3, 2026
Closed
Open
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@suhail-ak-2