fix: quote --allowedTools in issue-triage workflow#905
Conversation
… parsing The claude-code-action uses shell-quote to parse claude_args. The Bash(...) patterns containing spaces (e.g. `Bash(gh api --method POST:*/reactions)`) were being split into separate tokens, causing parentheses to be stripped as shell operators and `--method` to be parsed as a standalone CLI flag. This corrupted the argument structure and caused Claude Code to exit with code 1. Wrapping the value in single quotes preserves it as a single token through shell-quote parsing. Fixes #904 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
Blocking Issues
None.
Suggestions
None.
Clean, well-scoped fix. The single-quote wrapping correctly preserves the Bash(...) patterns as a single token when shell-quote parses claude_args. The root cause analysis is thorough and the fix directly addresses the parsing issue that caused the triage failure.
There was a problem hiding this comment.
CI Security Review
Critical / High
None.
Medium
anthropics/claude-code-action@v1not pinned to SHA (.github/workflows/issue-triage.yml:56): Third-party actions should be pinned to a full commit SHA to prevent supply chain attacks via tag mutation. While Anthropic is a trusted publisher, best practice is SHA pinning for all non-GitHub-owned actions. Pre-existing issue, not introduced by this PR.
Low
None.
Verdict
PASS — This change is a security improvement. The previous unquoted --allowedTools value was being parsed incorrectly by shell-quote, resulting in the LLM receiving an unrestricted Bash tool instead of the intended scoped Bash(gh issue view:*) / Bash(gh issue comment:*) / Bash(gh api --method POST:*) / Bash(gh api --method PATCH:*) patterns. The single-quote fix ensures the tool restrictions are properly enforced.
Pre-existing security posture review (not blocking):
- ✅ Prompt injection: Issue content is fetched by the LLM via tool calls, not interpolated into the prompt. Security preamble is present.
- ✅ Expression injection: Only numeric values (
issue.number,comment.id) and repo name are interpolated inrun:blocks. - ✅ Trigger safety:
issue_commenttrigger is gated to OWNER/MEMBER/COLLABORATOR viaauthor_associationcheck. - ✅ Permissions: Minimal (
contents: read,issues: write), appropriate for a single-job workflow. - ✅ Tool scoping: Allowed tools are tightly scoped to issue view/comment and specific API method+path patterns.
⚠️ SHA pinning:anthropics/claude-code-action@v1should be pinned to a commit SHA (medium, pre-existing).
2 participants
Summary
/triagecommand failure caused byshell-quoteparsing of unquotedBash(...)patterns inclaude_args--allowedToolsvalue in single quotes so spaces and parentheses are preserved as a single tokenRoot Cause
claude-code-actionusesshell-quoteto parseclaude_args. TheBash(...)patterns added in #852 contain spaces (e.g.Bash(gh api --method POST:*/reactions)), which caused:--methodparsed as a standalone CLI flag, corrupting the entire argument structureConfirmed by workflow logs from the failed #902 triage — allowed tools were
["Read", "Glob", "Grep", "Bash", "gh", "issue", "api"]instead of the intended patterns.Fixes #904
Test plan
/triageon vault.get() regex does not support spaces in vault names or secret keys #902 after merge and verify it completes successfullyBash(...)patterns inallowedTools🤖 Generated with Claude Code