fix: add --allowedTools to Claude PR review workflow#149
Conversation
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
WalkthroughUpdates the Claude PR review workflow to expand available tool access (Read, Glob, Grep, Bash) and extend interaction capacity from 10 to 15 turns, enabling more thorough code analysis during automated review cycles. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Possibly related PRs
Suggested labels
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/claude-pr-review.yml:
- Line 35: The workflow exposes an unsafe tool list by including "Bash" in the
claude_args string for pull-request workflows; update the claude_args value used
in the PR workflow to remove "Bash" so the allowedTools list is only
"Read,Glob,Grep" (leave other flags like --max-turns intact) to eliminate
arbitrary shell execution for untrusted PR content and keep any shell analysis
in a separate trusted workflow.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 8fd507a4-2254-4ca6-a566-65356123cada
📒 Files selected for processing (1)
.github/workflows/claude-pr-review.yml
Claude Code in CI needs explicit tool permissions. Without --allowedTools, all 18 tool calls were denied (Read, Grep, Glob, Bash), causing the review to exhaust its max turns without reading any code. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
f8edd35 to
f6ef2c8
Compare
Security: Bash tool on untrusted PR content allows arbitrary shell execution. Reduce max-turns from 15 to 10 to limit review cost. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Summary
--allowedTools Read,Glob,Grep,Bashto grant Claude read access to the codebaseRoot cause:
claude-code-actionin CI requires explicit--allowedTools— without it, Claude can't read any files and exhausts turns trying.Test plan
🤖 Generated with Claude Code
Summary by CodeRabbit
Note: This release contains no user-facing changes. The update is limited to internal development infrastructure enhancements.