docs: pull_request_target guidance and base-action trust model

[OctavianGuzu]

Adds:

• docs/security.md section on safe checkout patterns under pull_request_target / workflow_run
• base-action/README.md trust-model section clarifying the base-action does not enforce trust boundaries; callers should use claude-code-action for untrusted-input workflows
• Brief docs/security.md pointer to the base-action distinction

[claude]

Implementation looks solid and all my earlier feedback has been addressed — deferring to a human only because this is an intentional breaking change to a security-relevant default for standalone base-action consumers, which warrants a maintainer sign-off.

Extended reasoning...

Overview

This PR changes setupClaudeCodeSettings() so that enableAllProjectMcpServers is no longer hardcoded to true; it is now driven by a new enable_all_project_mcp_servers input. The base-action defaults the input to false (a behavior change), the wrapper action defaults it to true (no behavior change, since .mcp.json is already restored from the PR base ref via restoreConfigFromBase). Touches both action.yml files, both entrypoints (base-action/src/index.ts, src/entrypoints/run.ts), the settings helper, its unit tests, the MCP integration workflow, and four doc surfaces.

Security risks

The change is a security hardening: it stops the standalone base-action from auto-approving every MCP server in a PR-controlled .mcp.json. The new input is a plain boolean string compared with === "true", plumbed via the standard composite-action env: mapping — no injection surface. The wrapper keeps its prior behavior, justified by the existing restoreConfigFromBase mitigation. I see no new exposure introduced.

Level of scrutiny

Medium-high. The code change is mechanically simple (one new optional parameter, one boolean plumbed through two action manifests), but it sits on the MCP trust boundary and is an intentional breaking change for anyone calling anthropics/claude-code-base-action directly with a project .mcp.json. The split default (false for base-action, true for wrapper) is a reasonable design but is exactly the kind of policy decision a maintainer should explicitly ratify rather than have auto-approved.

Other factors

Over four review rounds I flagged stale doc notes, a missing docs/usage.md row, and two CI regressions in test-mcp-servers.yml (including the latent mcp_config plumbing gap) — all were fixed in f3f6fb1, cf66f1d, 9d2286e, and 52fafff and the threads are resolved. Unit tests now cover both the new default-false and explicit opt-in paths, plus the override-precedence over settings JSON. The current bug-hunt pass found nothing further. The only residual item is the pre-existing mcp_config plumbing gap, which the author has explicitly scoped out with a TODO and a follow-up — that's reasonable.

[claude]

All my earlier feedback has been addressed and I found nothing new — but this is an acknowledged breaking change to a security-relevant default (with the open "uniform rule vs. special-case trusted non-PR triggers" design call you flagged), so a maintainer should sign off rather than me.

Extended reasoning...

Overview

This PR flips enableAllProjectMcpServers from a hardcoded true to an opt-in: false by default in the base-action, and gated on restoreConfigFromBase in the wrapper. It adds a new enable_all_project_mcp_servers input to both action.yml files, threads it through base-action/src/index.ts → setup-claude-code-settings.ts and src/entrypoints/run.ts, adds resolveEnableAllProjectMcpServers() to restore-config.ts, and updates tests, docs (README, configuration.md, usage.md), and the test-mcp-servers.yml CI workflow. 12 files touched.

Security risks

The change moves in the safer direction (stops auto-trusting checkout-controlled .mcp.json), so it does not introduce new attack surface. The remaining risk is policy/design: the wrapper now defaults to false on non-PR triggers (push/schedule/workflow_dispatch/issues), which are trusted-checkout contexts where the original threat model doesn't apply. The author intentionally chose a uniform rule over special-casing those and explicitly invited maintainer input on that tradeoff.

Level of scrutiny

High. This is (a) an acknowledged breaking change for existing non-PR wrapper users relying on in-repo .mcp.json, (b) a change to a security-relevant default, and (c) touches both public action input surfaces and the main run.ts entrypoint. Breaking changes to published action defaults warrant human maintainer sign-off, not bot approval.

Other factors

Across six prior review rounds I raised stale-doc notes, two CI regressions, a JSDoc-ordering nit, and the non-PR-trigger behavior question — all were addressed (commits f3f6fb1, cf66f1d, 9d2286e, 52fafff, 9452710, 7942438, 47f4332) and the PR description was updated with an accurate behavior matrix and breaking-change section. Unit tests cover both the new setupClaudeCodeSettings parameter and resolveEnableAllProjectMcpServers. The implementation looks correct to me; I'm deferring purely on scope/breaking-change grounds, not correctness.

[claude]

All prior feedback is addressed and I found nothing new, but this changes a security default, adds a public input to both action manifests, and ships a documented breaking change for non-PR triggers (with an open design question on whether to special-case merged-code contexts) — that combination should get a maintainer's eyes before merge.

Extended reasoning...

Overview

This PR flips the enableAllProjectMcpServers default from hardcoded true to opt-in, threading a new enable_all_project_mcp_servers input through both base-action/action.yml and the wrapper action.yml. The wrapper auto-enables it only when restoreConfigFromBase ran (PR-entity contexts); all other triggers now default to false. It touches 13 files: both action manifests, src/entrypoints/run.ts, src/github/operations/restore-config.ts (new resolveEnableAllProjectMcpServers helper + bunfig.toml added to SENSITIVE_PATHS), base-action/src/{index,setup-claude-code-settings}.ts, three doc files, two test files, the MCP CI workflow, and a new base-action/bunfig.toml. The latest commit (219a2de) also pins bun's --config/--tsconfig-override in base-action/action.yml to the action directory.

Security risks

The change is itself a security hardening — it stops auto-trusting a checkout-controlled .mcp.json. The direction is strictly safer than before. The new bun-config pinning and adding bunfig.toml to the base-ref restore list close a related workspace-config surface. I see no new injection, auth, or data-exposure risk introduced; the input is a plain boolean string compared with === "true"/=== "false".

Level of scrutiny

High. This is (a) a change to a security-relevant default, (b) a new public input on both published actions, and (c) an acknowledged breaking change for wrapper users on push/schedule/workflow_dispatch/issues triggers. The author explicitly left a design choice open ("happy to revisit if we'd rather special-case the merged-code triggers") — whether to keep the uniform rule or default trusted non-PR checkouts back to true is a product/security tradeoff a maintainer should ratify, not a bot.

Other factors

Seven rounds of bot review surfaced two CI regressions, an orphaned JSDoc, and four stale-doc spots — all fixed and resolved. Unit tests cover both setupClaudeCodeSettings and the new resolver; the MCP integration workflow was opted in. The diff is internally consistent and well-documented now, but the breaking-change scope plus the open design question put this outside what I'll approve without a human.

[claude]

No issues found in the final state — all earlier review threads are resolved. Deferring to a maintainer because this changes a security-relevant default (auto-enabling in-repo .mcp.json servers) with breaking-change implications for workflow_run and base-action-standalone users, and the trust-gating design iterated several times during review; worth a human sign-off on the final semantics.

Extended reasoning...

Overview

This PR changes how enableAllProjectMcpServers is resolved across both the base-action and the wrapper action, adds an enable_all_project_mcp_servers opt-in input, pins bun's --config/--tsconfig-override/--no-env-file in base-action, adds bunfig.toml to SENSITIVE_PATHS, and pins --setting-sources user for plugin install. It touches 16 files: both action.yml definitions, run.ts, restore-config.ts, setup-claude-code-settings.ts, install-plugins.ts, four docs files, two test files, a CI workflow, and a new bunfig.toml + test/restore-config.test.ts.

Security risks

The whole PR is about a security-relevant default — whether to auto-approve every MCP server in the checkout's .mcp.json. The final design is strictly tighter than main (where it was hardcoded true): the base-action now defaults to false under pull_request_target/workflow_run/issue_comment, and the wrapper only forces true when it has positively established the project config is merged code (PR-restored, or non-PR entity event). Nothing here widens an attack surface; the risk is in getting the trust gating right, and the two-layer resolver (wrapper → true/undefined, base-action ??= !isPrivilegedExternalEvent()) is subtle enough that a maintainer should confirm the final event-by-event matrix matches intent.

Level of scrutiny

High. This is a security-hardening change to a published GitHub Action's default behavior, with a documented breaking change for some triggers. The design flipped several times during review (wrapper default true → gated on configRestoredFromBase → bare true → gated on projectConfigTrusted deferring to base-action), so the docs/PR-body/behavior alignment deserves a final human read. Not a candidate for bot auto-approval.

Other factors

All twelve of my earlier inline threads are resolved and the bug hunter found nothing on the current head (fa0de7b). Unit tests cover both resolvers and the event-gated defaults. The one residual nit — action.yml/docs/usage.md/docs/configuration.md still phrase the wrapper default as a flat "Defaults to true" — is now mostly accurate after the final design (only workflow_run deviates), so I'm not re-raising it. The pre-existing mcp_config plumbing gap is correctly noted as a TODO and out of scope.

[claude]

No further issues found — all earlier feedback has been addressed. Deferring to a human reviewer for sign-off since this changes security-relevant defaults (enableAllProjectMcpServers gating, SENSITIVE_PATHS, isPrivilegedExternalEvent) and the two-layer wrapper/base-action resolver design went through several iterations that a maintainer should validate.

Extended reasoning...

Overview

This PR changes how project-level .mcp.json servers are auto-enabled, across 16 files: both action.yml definitions, base-action/src/setup-claude-code-settings.ts (new isPrivilegedExternalEvent + resolveEnableAllProjectMcpServers), src/entrypoints/run.ts (new projectConfigTrusted gating), src/github/operations/restore-config.ts (adds bunfig.toml to SENSITIVE_PATHS + wrapper resolver), base-action/src/install-plugins.ts (pins --setting-sources user), base-action/action.yml (pins bun --config/--tsconfig-override/--no-env-file), four doc files including a new docs/security.md section on pull_request_target/workflow_run, the MCP integration workflow, and corresponding tests.

Security risks

The PR is itself a security hardening — it tightens defaults so attacker-controlled .mcp.json is not auto-approved under privileged-external events. The risks to review are in the design rather than the implementation: the final behavior is the composition of two resolvers (wrapper returns true/false/undefined; base-action's ??= !isPrivilegedExternalEvent() fills undefined), and the per-event truth table (PR-entity → restore+enable; issues/non-PR issue_comment → trust default-branch; push/schedule/workflow_dispatch → enable via fallback; workflow_run → disable) is subtle enough that a maintainer should confirm it matches the intended threat model. Adding bunfig.toml to SENSITIVE_PATHS and pinning bun's --config/--no-env-file also change what the action reads from the workspace at startup.

Level of scrutiny

High. This is production-critical, security-sensitive code that determines whether arbitrary MCP server commands from a checkout are auto-spawned with the action's secrets. The design iterated substantially during review (the wrapper default flipped between restore-gated → bare true → restore-gated → projectConfigTrusted+fallback), and the author noted they're "happy to revisit" the merged-code-trigger special-casing — that's a judgment call for a maintainer, not a bot.

Other factors

All 13 prior inline comments from automated review have been addressed and resolved; the current bug-hunting pass found nothing. Unit tests cover both resolvers and the event-gated default. The base-action change is technically a behavioral change for standalone users on pull_request_target/workflow_run/issue_comment (now defaults to false), which is intentional and documented but worth a maintainer's explicit acknowledgment.

[claude]

LGTM — 1d51c38 re-applied the root checkout and workflow_run ref fixes, so the examples now work as written; the remaining @v4→@v6 note is cosmetic.

Extended reasoning...

Overview

After an extensive descope, this PR is now purely additive documentation touching two files: a new Trust model section in base-action/README.md clarifying that the base action enforces no trust boundaries and pointing untrusted-input workflows at the wrapper, and a new section in docs/security.md covering safe checkout patterns under pull_request_target / workflow_run plus a brief base-action vs wrapper distinction. No code, action.yml, workflow, or test changes remain.

What changed since my last review

My unresolved comment (3149461566) flagged that the earlier 4ac01f0 doc edits hadn't survived the descope. Commit 1d51c38 re-applies them: the second example now prepends a base-ref actions/checkout at the workspace root (so the action's git fetch in restoreConfigFromBase won't hit fatal: not a git repository), the prose at line 25 names both github.event.pull_request.head.sha and github.event.workflow_run.head_sha, the second example carries an inline comment for the workflow_run ref, the PRT-only gh pr diff/gh pr view hint is removed, and the closing line is generalised to "these event types". All four points from that comment are addressed.

Security risks

None introduced — this is documentation only. The content is itself security guidance, so accuracy matters: I've verified the recommended patterns against the action's behaviour (pull_request_target normalises to a PR entity context and runs restoreConfigFromBase in cwd, hence the root-checkout requirement; --add-dir pr-head keeps the untrusted ref out of the project-config search path). The trust-model section's claims about the wrapper (actor permission checks, base-ref config restore) are accurate per src/github/operations/restore-config.ts and src/github/validation/actor.ts. The external links point to the official GitHub Security Lab pwn-requests writeup and Anthropic's Claude Code security docs.

Level of scrutiny

Moderate — security docs are copy-pasted into user workflows so the examples need to be runnable and not misleading, but there is zero runtime/behavioural surface in this diff. The content has been through ~14 rounds of review on this PR (most of it on now-removed code changes), and every doc-specific issue raised has been incorporated.

Other factors

The one inline nit on this run — actions/checkout@v4 vs the repo's @v6 convention — is purely cosmetic with no functional difference, and explicitly non-blocking. Two pre-existing @v4 references already exist in the repo. Fine to take or leave at the author's discretion.

[claude]

LGTM — docs-only addition with accurate, conservative security guidance; all prior feedback addressed.

Extended reasoning...

Overview

This PR has been descoped to a pure documentation change touching two files: base-action/README.md (+8 lines adding a Trust model section) and docs/security.md (+33 lines adding a section on safe checkout patterns under pull_request_target / workflow_run, plus a brief subsection distinguishing claude-code-action from claude-code-base-action). No code, config, workflow, or test files are modified.

Security risks

None introduced. This is additive security documentation that reduces risk by steering users away from the well-known pwn-request foot-gun (checking out an untrusted PR head into $GITHUB_WORKSPACE under a privileged event). The recommended patterns are correct: base-ref checkout at the workspace root, untrusted head ref isolated to a subdirectory via path: + --add-dir. The base-action trust-model section accurately states that the base-action enforces no trust boundaries and points users to the wrapper for untrusted-input workflows. External links (GitHub Security Lab pwn-request article, Anthropic security docs) are appropriate and the internal #trust-model anchor resolves.

Level of scrutiny

Low-to-moderate. It is security documentation rather than security code — no runtime behavior changes. The content has already been through extensive iterative review on this PR (14+ inline threads, all resolved): the second example was fixed to include a root-level base-ref checkout so it doesn't hard-fail with fatal: not a git repository, the workflow_run.head_sha variant was added alongside the PRT ref, the PRT-only gh pr diff hint was dropped, the closing line was generalized, and the actions/checkout pins were aligned to @v6 (commit cf1170e). I re-read the final diff against each of those resolved threads and all agreed-upon fixes are present.

Other factors

No CODEOWNERS file in the repo. No outstanding reviewer comments. The bug-hunting system found nothing on the current revision. The earlier code/behavior changes (the enable_all_project_mcp_servers input and resolver logic) that drove most of the prior review traffic have been removed from this PR entirely, so the bulk of the resolved threads are now moot — what remains is a small, self-contained, purely additive doc change.