[PR] chore(gha): pass commenter login through env in claude.yml [superset]

Mon, 11 May 2026 19:55:47 -0700 


rusackas opened a new pull request, #40042:
URL: https://github.com/apache/superset/pull/40042

   ### SUMMARY
   
   Small hardening of \`.github/workflows/claude.yml\`: move the 
\`github.event.*.user.login\` references off inline \`\${{ }}\` expansion 
inside the shell and \`actions/github-script\` bodies and onto step-level 
\`env:\` blocks, then read the values as \`\$COMMENTER\` / 
\`process.env.COMMENTER_LOGIN\`. This is the standard mitigation pattern 
recommended by [zizmor's template-injection 
rule](https://woodruffw.github.io/zizmor/audits/#template-injection) and 
matches the broader Superset workflow conventions.
   
   No behavior change — the values resolved are identical, they just arrive via 
the runner-set environment instead of being interpolated into the script source 
before execution.
   
   ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
   
   N/A — workflow change only.
   
   ### TESTING INSTRUCTIONS
   
   GitHub Actions workflow files aren't unit-testable in this repo's test 
suite. The change is verifiable by inspection:
   
   - The shell step (\`Check if user is allowed\`) now declares \`env: 
COMMENTER: \${{ github.event.comment.user.login }}\` and reads \`\$COMMENTER\` 
from the environment.
   - The \`actions/github-script\` step (\`Comment access denied\`) declares 
\`env: COMMENTER_LOGIN: ...\` and reads \`process.env.COMMENTER_LOGIN\`.
   
   The allowed-users gating logic is unchanged.
   
   ### ADDITIONAL INFORMATION
   
   - [ ] Has associated issue:
   - [ ] Required feature flags:
   - [ ] Changes UI
   - [ ] Includes DB Migration (follow approval process in 
[SIP-59](https://github.com/apache/superset/issues/13351))
   - [ ] Introduces new feature or API
   - [ ] Removes existing feature or API


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to