From: Daan De Meyer <daan@amutable.com>
Date: Wed, 18 Mar 2026 10:28:55 +0000 (+0100)
Subject: ci: Enable network isolation for claude and allow most tools
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=eef8f528a39530441c496d2de1a90dd3bb4dc420;p=thirdparty%2Fsystemd.git

ci: Enable network isolation for claude and allow most tools

claude wants to use python to access the JSON context so let's allow
it. Since python3 basically allows you to reimplement every other tool,
let's just enable all tools except the web related ones but enable network
isolation so it can't try to exfiltrate anything via python.
---

diff --git a/.github/workflows/claude-review.yml b/.github/workflows/claude-review.yml
index 3b2444073a9..dbab77b2e72 100644
--- a/.github/workflows/claude-review.yml
+++ b/.github/workflows/claude-review.yml
@@ -162,6 +162,9 @@ jobs:
         with:
           name: pr-context.json
 
+      - name: Install sandbox dependencies
+        run: sudo apt-get update && sudo apt-get install -y bubblewrap socat
+
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
         with:
@@ -232,17 +235,20 @@ jobs:
           allowed_non_write_users: "*"
           track_progress: false
           show_full_output: "true"
+          # Sandbox Bash commands to prevent network access and restrict
+          # filesystem writes to the working directory.
+          settings: |
+            {
+              "sandbox": {
+                "enabled": true,
+                "autoAllowBashIfSandboxed": true,
+                "allowUnsandboxedCommands": false
+              }
+            }
           claude_args: |
             --model us.anthropic.claude-opus-4-6-v1
             --max-turns 100
-            --allowedTools "
-                Read,LS,Grep,Glob,Task,TaskStop,
-                Bash(cat *),Bash(test *),Bash(printf *),Bash(jq *),Bash(head *),Bash(tail *),
-                Bash(git log *),Bash(git diff *),Bash(git show *),Bash(git rev-parse *),
-                Bash(git merge-base *),Bash(git blame *),Bash(git branch *),Bash(git status *),
-                Bash(grep *),Bash(find *),Bash(ls *),Bash(wc *),
-                Bash(diff *),Bash(sed *),Bash(awk *),Bash(sort *),Bash(uniq *),
-                "
+            --disallowedTools "WebFetch,WebSearch"
             --json-schema '${{ env.REVIEW_SCHEMA }}'
           prompt: |
               REPO: ${{ github.repository }}
@@ -252,6 +258,7 @@ jobs:
               produce a structured JSON result containing your review. Do NOT attempt
               to post comments yourself — just return the JSON. You are in the upstream repo
               with the PR branch available as `pr-review`. Do not apply or merge the patch.
+              You have no network access — all required context has been pre-fetched locally.
 
               ## Phase 1: Read context