Restore tool permissions for workflow execution

ghostwriternr · ghostwriternr · commit 95ea005c7a61 · 2025-11-13T17:13:39.000Z
Commit b47b8c3 removed claude_args configuration, causing permission denials for gh and git commands in CI. This restores explicit tool allowlists tailored to each workflow's purpose. Changes: - claude-code-review.yml: Read-only tools for automated PR reviews - claude.yml: Full development tools + write permissions for commits/PRs Fixes permission mismatch where claude.yml prompted for commits but lacked contents:write permission.
diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
@@ -228,3 +228,6 @@ jobs:
             **Important**: This workflow maintains conversation continuity - resolved issues show as "Resolved", ongoing issues have threaded replies, and only new issues create new comment threads.
 
             Always post a NEW comment - never update previous ones. Natural conversation flow.
+          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
+          # or https://docs.claude.com/en/docs/claude-code/cli-reference for available options
+          claude_args: '--allowedTools "Task,Skill,Read,Glob,Grep,Write,TodoWrite,mcp__cloudflare-docs__search_cloudflare_documentation,mcp__exa__get_code_context_exa,mcp__exa__web_search_exa,Bash(gh pr view:*),Bash(gh pr diff:*),Bash(gh repo view:*),Bash(gh api:*),Bash(git log:*),Bash(git cat-file:*),Bash(git rev-parse:*),Bash(jq:*)"'
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
@@ -19,9 +19,9 @@ jobs:
       (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
     runs-on: ubuntu-latest
     permissions:
-      contents: read
-      pull-requests: read
-      issues: read
+      contents: write
+      pull-requests: write
+      issues: write
       id-token: write
       actions: read # Required for Claude to read CI results on PRs
     steps:
@@ -97,3 +97,4 @@ jobs:
 
           # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
           # or https://docs.claude.com/en/docs/claude-code/cli-reference for available options
+          claude_args: '--allowedTools "Task,Skill,Read,Write,Edit,Glob,Grep,TodoWrite,mcp__cloudflare-docs__search_cloudflare_documentation,mcp__exa__get_code_context_exa,mcp__exa__web_search_exa,Bash(npm test:*),Bash(npm run *),Bash(npm install:*),Bash(npm ls:*),Bash(npm view:*),Bash(docker:*),Bash(git status),Bash(git log:*),Bash(git diff:*),Bash(git rev-parse:*),Bash(git fetch:*),Bash(git add:*),Bash(git commit:*),Bash(git push:*),Bash(gh pr view:*),Bash(gh pr diff:*),Bash(gh pr checks:*),Bash(gh pr create:*),Bash(gh issue view:*),Bash(gh issue create:*),Bash(gh issue comment:*),Bash(gh repo view:*),Bash(gh api:*),Bash(find:*),Bash(tree:*),Bash(ls:*),Bash(jq:*)"'
