Skip to content

Fix Claude Code review allowedTools to accept flags#734

Merged
syed-ahsan-ishtiaque merged 2 commits intomainfrom
fix-claude-review-allowedtools-wildcards
Apr 24, 2026
Merged

Fix Claude Code review allowedTools to accept flags#734
syed-ahsan-ishtiaque merged 2 commits intomainfrom
fix-claude-review-allowedtools-wildcards

Conversation

@syed-ahsan-ishtiaque
Copy link
Copy Markdown
Contributor

@syed-ahsan-ishtiaque syed-ahsan-ishtiaque commented Apr 23, 2026

Summary

  • Adds trailing wildcards (*) to the Claude Code review allowedTools patterns so gh pr diff NNN and gh pr view NNN commands with flags (e.g. --json, --web) are still allowed
  • Without the wildcard, Bash(gh pr view 394) only matched the literal string gh pr view 394 and would deny any invocation with flags like gh pr view 394 --json number,title,..., causing Claude to burn through turns on repeated permission denials until hitting the 15-min timeout

Security

Trailing wildcard is still scoped to the current PR number via ${{ github.event.pull_request.number }}, so Claude cannot access other PRs. For example Bash(gh pr view 394*) matches gh pr view 394 --json ... but NOT gh pr view 391.

Test plan

  • Verify Claude review runs complete faster (not hitting timeout) on new PRs
  • Verify Claude still cannot read/post to other PR numbers

@syed-ahsan-ishtiaque syed-ahsan-ishtiaque added the skip changelog doesn't need a CHANGELOG entry label Apr 23, 2026
@syed-ahsan-ishtiaque syed-ahsan-ishtiaque requested a review from a team as a code owner April 23, 2026 23:58
github-actions[bot]
github-actions Bot reviewed Apr 24, 2026
View reviewed changes
Comment thread .github/workflows/claude-code-review.yml Outdated
github-actions[bot]
github-actions Bot reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Targeted fix — the trailing wildcard entries address the real problem (exact-match denying flagged invocations). Two observations inline on the changed line.

Comment thread .github/workflows/claude-code-review.yml
github-actions[bot]
github-actions Bot reviewed Apr 24, 2026
View reviewed changes
Comment thread .github/workflows/claude-code-review.yml
@syed-ahsan-ishtiaque syed-ahsan-ishtiaque merged commit e3e14cf into main Apr 24, 2026
18 checks passed
@syed-ahsan-ishtiaque syed-ahsan-ishtiaque deleted the fix-claude-review-allowedtools-wildcards branch April 24, 2026 21:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@srprash srprash srprash approved these changes

Assignees

No one assigned

Labels

skip changelog doesn't need a CHANGELOG entry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@syed-ahsan-ishtiaque @srprash