ci: gate workflows on org membership + allow claude[bot]

[shuheng-liu]

What this does

Two coupled changes to .github/workflows/:

1. Fixes the review job failure on #243. The claude-pr-review.yml workflow on PR #243 (chore(claude): learn from #242, opened by claude[bot]) failed at the anthropics/claude-code-action@v1 step with Workflow initiated by non-human actor: claude (type: Bot). Add bot to allowed_bots list or use '*' to allow all bots. The action's allowed_bots input defaults to "" and rejects bot triggers. Fix: pass allowed_bots: "claude[bot]" on every claude-code-action step in the three Claude workflows.

2. Restricts CI triggers to org members + claude[bot]. Previously any outside contributor could trigger CI by opening a PR or commenting @claude fix. For Claude workflows that meant burning Anthropic API credits with attacker-controlled prompts under --permission-mode bypassPermissions; for cpu_test.yml / pre-commit.yml it meant executing fork code on our runners. Six workflows now gate on github.<event>.<x>.author_association ∈ {OWNER, MEMBER, COLLABORATOR} OR login == 'claude[bot]' (the bot account that opens our chore(claude): learn from #N PRs). push and workflow_dispatch events are short-circuited through (already require write access).

Files touched (all .github/workflows/):

• claude-pr-review.yml — trust gate + loop guard tightened to exact claude[bot] match + allowed_bots: "claude[bot]".
• claude-implement-fixes.yml — trust gate per event source (issue_comment, pull_request_review_comment, pull_request_review); old user.type != 'Bot' checks dropped (subsumed) + allowed_bots: "claude[bot]".
• extract-claude-lessons.yml — defense-in-depth trust check appended to existing branch-name gate + allowed_bots: "claude[bot]".
• cpu_test.yml, pre-commit.yml — job-level if: gating PR events only.
• check-pr-checklist.yml — job-level if: gating PR events.

Out of scope: gpu_test.yml, regression_test.yml, build-docker-images.yml (schedule + workflow_dispatch only), publish-pypi.yml (tag push only). Bot allowlist is claude[bot] only — no dependabot[bot], no * (public-repo risk per the action's docs).

How it was tested

• pre-commit run --files .github/workflows/*.yml — passes (yaml-lint, zizmor GitHub Actions security scanner, gitleaks, typos).
• Trace-through verification of the if: predicates against each event payload's author_association / user.login paths (paths confirmed against existing usages in the same files).
• Loop-guard scenario walked: opened short-circuits true (auto-review of claude[bot]-opened PRs); synchronize from claude[bot] push evaluates sender.login != 'claude[bot]' to false → skipped.
• Live verification (after merge) per the plan's verification checklist:
  1. Next chore(claude): learn from #N PR auto-review must succeed (no more "Add bot to allowed_bots list" error).
  2. Outsider PR must show all four PR-event workflows as skipped.
  3. Member @claude fix must trigger claude-implement-fixes.yml; outsider @claude fix must not.

How to checkout & try? (for the reviewer)

git fetch origin claude/fix-ci-restrict-access-jjYFO
git checkout claude/fix-ci-restrict-access-jjYFO
git diff main -- .github/workflows/

Inspect each workflow's job-level if: and the allowed_bots: line on each anthropics/claude-code-action@v1 step.

Checklist

• I have added Google-style docstrings to important functions and ensured function parameters are typed.
• My PR includes policy-related changes.
  • If the above is checked: I have run the GPU pytests (pytest -m "gpu") and regression tests.

---

Generated by Claude Code