Skip to content

fix: allow Bash tool in claude-code-action for dependabot workflow#43

Merged
Dorac merged 2 commits into
masterfrom
fix/claude-action-allow-bash
Jun 18, 2026
Merged

fix: allow Bash tool in claude-code-action for dependabot workflow#43
Dorac merged 2 commits into
masterfrom
fix/claude-action-allow-bash

Conversation

@Dorac

@Dorac Dorac commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Root cause: in agent mode, claude-code-action defaults to allowedTools: undefined when no allowed_tools input is given. In non-interactive CI mode, Claude Code denies all tool calls without human approval → permission_denials_count: 14, nothing gets merged.
  • Fix: add allowed_tools: 'Bash' so Claude can run the gh and grep commands specified in the prompt.

Test plan

  • Trigger a fresh Dependabot PR run (@dependabot recreate) and verify Claude runs to completion and labels/merges the PR

🤖 Generated with Claude Code

PR Summary by Typo

Overview

This PR fixes an issue by explicitly allowing the Bash tool within the claude-code-action for the Dependabot auto-merge workflow.

Key Changes

  • Added allowed_tools: 'Bash' to the claude-code-action configuration in the dependabot_auto_merge.yml workflow.

Work Breakdown

Category Lines Changed
New Work 1 (100.0%)
Total Changes 1
To turn off PR summary, please visit Notification settings.

Without allowed_tools, Claude Code runs with no permitted tools in
non-interactive CI mode and all 14 tool calls are denied
(permission_denials_count: 14). Claude needs Bash to run gh and grep
commands as specified in the prompt.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@typo-app

typo-app Bot commented Jun 18, 2026

Copy link
Copy Markdown

Static Code Review 📊

✅ All quality checks passed!

Bare 'Bash' allows arbitrary shell execution — a prompt injection via
PR description could run any command with GH_AUTO_MERGE_TOKEN perms.
Restrict to only the commands Claude actually needs:
- Bash(gh:*)   for gh pr view/edit/review/merge
- Bash(grep:*) for codebase package usage scan

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Dorac Dorac merged commit 833dfe2 into master Jun 18, 2026
4 of 8 checks passed
@Dorac Dorac deleted the fix/claude-action-allow-bash branch June 18, 2026 15:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant