Skip to content

Restrict @claude bot to mcp org only, fix fork behavior #819

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
domdomegg merged 6 commits into from
Dec 8, 2025
+33 −0
Merged

Restrict @claude bot to mcp org only, fix fork behavior #819

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
107113a
Restrict @claude bot to maintainers only
tadasant Dec 5, 2025
7d1919f
Use org membership check instead of hardcoded maintainer list
tadasant Dec 5, 2025
5a05bbc
Fetch org members from access repo instead of using PAT
tadasant Dec 5, 2025
dfa5eb2
Add fork PR support with proper checkout and permissions
tadasant Dec 5, 2025
7e835d7
Remove maintainer onboarding doc (will be in separate PR)
tadasant Dec 5, 2025
471c03d
Keep read permissions for workflow token
tadasant Dec 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions .github/workflows/claude.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,43 @@ jobs:
id-token: write
actions: read
steps:
# Only allow modelcontextprotocol org members to trigger @claude
# This enables @claude to work on external fork PRs when triggered by org members
# Members list is fetched from modelcontextprotocol/access repo
- name: Check if org member
run: |
ACTOR="${{ github.triggering_actor }}"
USERS_URL="https://raw.githubusercontent.com/modelcontextprotocol/access/main/src/config/users.ts"

# Fetch users.ts and extract GitHub usernames
MEMBERS=$(curl -fsSL "$USERS_URL" | grep -oE 'github:\s*"[^"]+"' | sed 's/github:\s*"//;s/"$//')

if echo "$MEMBERS" | grep -qxF "$ACTOR"; then
echo "User $ACTOR is a member of modelcontextprotocol org"
else
echo "::error::User $ACTOR is not a member of the modelcontextprotocol org. Only org members can trigger @claude."
exit 1
fi

# For PR comments, get PR details to checkout the correct branch (including forks)
- name: Get PR details
id: pr
if: github.event.issue.pull_request
env:
GH_TOKEN: ${{ github.token }}
run: |
PR_DATA=$(gh api ${{ github.event.issue.pull_request.url }})
echo "number=$(echo "$PR_DATA" | jq -r '.number')" >> $GITHUB_OUTPUT
echo "head_ref=$(echo "$PR_DATA" | jq -r '.head.ref')" >> $GITHUB_OUTPUT
echo "head_repo=$(echo "$PR_DATA" | jq -r '.head.repo.full_name')" >> $GITHUB_OUTPUT
echo "is_fork=$(echo "$PR_DATA" | jq -r '.head.repo.fork')" >> $GITHUB_OUTPUT

- name: Checkout repository
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd
with:
fetch-depth: 1
# For fork PRs, checkout via PR ref; otherwise use the branch directly
ref: ${{ steps.pr.outputs.is_fork == 'true' && format('refs/pull/{0}/head', steps.pr.outputs.number) || steps.pr.outputs.head_ref || github.ref }}

- name: Run Claude Code
id: claude
Expand Down
Loading