Problem
When using claude-code-action for security reviews or other read-only tasks, the action automatically grants Claude write capabilities that cannot be disabled via configuration.
In src/modes/tag/index.ts (lines 135-150), the action unconditionally adds git write tools:
if (!useApiCommitSigning) {
tagModeTools.push(
"Bash(git add:*)",
"Bash(git commit:*)",
`Bash(${gitPushWrapper}:*)`,
"Bash(git rm:*)",
);
} else {
tagModeTools.push(
"mcp__github_file_ops__commit_files",
"mcp__github_file_ops__delete_files",
);
}
This means even when a workflow explicitly configures limited tools via claude_args:
claude_args: |
--allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*)"
The action still adds git write capabilities, and Claude can (and does) make commits autonomously.
Use Case
We use claude-code-action for security reviews only - we want Claude to analyze PRs and post comments, but not make any changes to the code. However, Claude detected a CI failure and automatically committed a fix, which was unexpected behavior given our workflow configuration.
Requested Solution
Add a read_only input parameter (or similar) that prevents the action from adding any write tools:
- uses: anthropics/claude-code-action@v1
with:
read_only: true # Prevents git/file write tools from being added
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
When read_only: true:
- Do not add
Bash(git add:*), Bash(git commit:*), Bash(git rm:*), or the git push wrapper
- Do not add
mcp__github_file_ops__commit_files or mcp__github_file_ops__delete_files
- Only allow the base read tools (
Glob, Grep, LS, Read) plus user-specified tools
Alternatives Considered
- Forking the action - Works but requires maintaining a fork
- Using
use_commit_signing - This only changes HOW commits are made (git CLI vs API), not WHETHER commits are allowed
Additional Context
This follows the principle of least privilege - workflows that only need read access shouldn't be granted write access by default. Many users may want Claude for code review, documentation generation, or analysis tasks where commits are not desired.
Problem
When using
claude-code-actionfor security reviews or other read-only tasks, the action automatically grants Claude write capabilities that cannot be disabled via configuration.In
src/modes/tag/index.ts(lines 135-150), the action unconditionally adds git write tools:This means even when a workflow explicitly configures limited tools via
claude_args:The action still adds git write capabilities, and Claude can (and does) make commits autonomously.
Use Case
We use
claude-code-actionfor security reviews only - we want Claude to analyze PRs and post comments, but not make any changes to the code. However, Claude detected a CI failure and automatically committed a fix, which was unexpected behavior given our workflow configuration.Requested Solution
Add a
read_onlyinput parameter (or similar) that prevents the action from adding any write tools:When
read_only: true:Bash(git add:*),Bash(git commit:*),Bash(git rm:*), or the git push wrappermcp__github_file_ops__commit_filesormcp__github_file_ops__delete_filesGlob,Grep,LS,Read) plus user-specified toolsAlternatives Considered
use_commit_signing- This only changes HOW commits are made (git CLI vs API), not WHETHER commits are allowedAdditional Context
This follows the principle of least privilege - workflows that only need read access shouldn't be granted write access by default. Many users may want Claude for code review, documentation generation, or analysis tasks where commits are not desired.