Skip to content

fix: add --allowedTools to Claude PR review workflow#149

Merged
Puneethkumarck merged 2 commits into
mainfrom
fix/claude-pr-review-permissions
Mar 9, 2026
Merged

fix: add --allowedTools to Claude PR review workflow#149
Puneethkumarck merged 2 commits into
mainfrom
fix/claude-pr-review-permissions

Conversation

@Puneethkumarck

@Puneethkumarck Puneethkumarck commented Mar 9, 2026

Copy link
Copy Markdown
Owner

Summary

  • Claude PR review was failing with 18 permission denials — all tool calls (Read, Grep, Glob, Bash) were blocked
  • Added --allowedTools Read,Glob,Grep,Bash to grant Claude read access to the codebase
  • Increased max turns from 10 to 15 to give enough room for a thorough review

Root cause: claude-code-action in CI requires explicit --allowedTools — without it, Claude can't read any files and exhausts turns trying.

Test plan

  • Verify next PR triggers a successful Claude review (no permission denials)

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Updated internal CI/CD workflow configuration to enhance development review processes.

Note: This release contains no user-facing changes. The update is limited to internal development infrastructure enhancements.

@coderabbitai

coderabbitai Bot commented Mar 9, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@Puneethkumarck has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 8 minutes and 20 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 71c4ab86-d7e5-472b-8f34-581f497fdb6f

📥 Commits

Reviewing files that changed from the base of the PR and between f8edd35 and 45ca207.

📒 Files selected for processing (1)
  • .github/workflows/claude-pr-review.yml

Walkthrough

Updates the Claude PR review workflow to expand available tool access (Read, Glob, Grep, Bash) and extend interaction capacity from 10 to 15 turns, enabling more thorough code analysis during automated review cycles.

Changes

Cohort / File(s) Summary
Workflow Configuration
.github/workflows/claude-pr-review.yml
Extended Claude agent toolset and interaction depth for PR reviews via claude_args parameter adjustment.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

Suggested labels

chore

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed Title clearly describes the main change: adding --allowedTools flag to the Claude PR review workflow to fix permission issues.
Description check ✅ Passed Description covers root cause, solution, and test plan. Missing formal template structure (Summary/Related Issue/Type of Change/What Changed sections), but contains substantive technical detail.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix/claude-pr-review-permissions

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/claude-pr-review.yml:
- Line 35: The workflow exposes an unsafe tool list by including "Bash" in the
claude_args string for pull-request workflows; update the claude_args value used
in the PR workflow to remove "Bash" so the allowedTools list is only
"Read,Glob,Grep" (leave other flags like --max-turns intact) to eliminate
arbitrary shell execution for untrusted PR content and keep any shell analysis
in a separate trusted workflow.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8fd507a4-2254-4ca6-a566-65356123cada

📥 Commits

Reviewing files that changed from the base of the PR and between b0d1047 and f8edd35.

📒 Files selected for processing (1)
  • .github/workflows/claude-pr-review.yml

Comment thread .github/workflows/claude-pr-review.yml Outdated
Claude Code in CI needs explicit tool permissions. Without --allowedTools,
all 18 tool calls were denied (Read, Grep, Glob, Bash), causing the review
to exhaust its max turns without reading any code.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Puneethkumarck Puneethkumarck force-pushed the fix/claude-pr-review-permissions branch from f8edd35 to f6ef2c8 Compare March 9, 2026 22:00
Security: Bash tool on untrusted PR content allows arbitrary shell execution.
Reduce max-turns from 15 to 10 to limit review cost.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Puneethkumarck Puneethkumarck merged commit 422d52d into main Mar 9, 2026
11 of 12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant