Fixing Allowed_tools Bug In Claude-code-action

Introduction

This article delves into a bug identified within the claude-code-action GitHub Action, specifically concerning the behavior of the allowed_tools parameter when the action is invoked multiple times within a single workflow. The issue manifests as the allowed_tools configuration not being applied correctly in subsequent calls after the initial invocation, potentially leading to unexpected failures and permission errors. This comprehensive analysis will walk you through the bug's description, reproduction steps, expected behavior, the underlying cause, and potential solutions. Understanding this issue is crucial for developers and teams leveraging claude-code-action in their workflows to ensure consistent and secure execution of automated tasks. By addressing this bug, we can enhance the reliability and predictability of claude-code-action, making it a more robust tool for CI/CD pipelines.

Bug Description

The core issue lies in how the allowed_tools parameter is handled across multiple invocations of the claude-code-action within a single workflow run. When the action is called for the first time, the allowed_tools configuration is correctly applied, restricting the set of tools that Claude can utilize. However, subsequent calls to the action appear to ignore the allowed_tools setting specified in their respective configurations. This means that Claude may attempt to use tools that were explicitly disallowed, leading to workflow failures if those tools lack the necessary permissions. This behavior contradicts the expected isolation of configurations between different calls to the action, where each invocation should adhere to its own allowed_tools settings. The impact of this bug can range from intermittent workflow failures to security concerns, as unintended tools might be used if the restriction isn't properly enforced. Addressing this issue is critical to ensure the reliable and secure execution of workflows that rely on claude-code-action for code generation and analysis.

Steps to Reproduce

To effectively demonstrate and understand this bug, the following steps outline how to reproduce the issue within a GitHub Actions workflow:

1. Workflow Setup: Create a GitHub Actions workflow file (e.g., .github/workflows/test-workflow.yml) in your repository.
2. Multiple Action Calls: Include two instances of the anthropics/claude-code-action@beta action within the workflow.
3. First Action Configuration: Configure the first action call with a direct_prompt parameter to initiate a task for Claude. This initial call sets the baseline environment.
4. Second Action Configuration: Configure the second action call with both a direct_prompt and an allowed_tools parameter. The allowed_tools parameter should restrict Claude's tool usage to a specific subset, such as Bash(go:*), which allows only go commands within Bash.
5. Trigger Workflow: Trigger the workflow by pushing a commit to your repository or manually dispatching the workflow through the GitHub Actions interface.
6. Observe Behavior: Monitor the workflow execution logs. The second action call might fail due to a lack of permission for commands that are not explicitly allowed in the allowed_tools configuration, even if those commands were not restricted in the first action call. This indicates that the allowed_tools setting is not being correctly applied in the second invocation.

By following these steps, you can consistently reproduce the bug and verify the incorrect behavior of the allowed_tools parameter in subsequent calls to claude-code-action.

Example Workflow

The following YAML snippet demonstrates a GitHub Actions workflow configuration that reproduces the bug:

name: Reproduce allowed_tools Bug

on:
  push:
    branches:
      - main

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: First Claude Action Call
        uses: anthropics/claude-code-action@beta
        with:
          direct_prompt: "Write a simple Go program that prints 'Hello, World!'"

      - name: Second Claude Action Call with restricted tools
        uses: anthropics/claude-code-action@beta
        with:
          direct_prompt: "Run the go program"
          allowed_tools: | 
            Bash(go:*)

This workflow will first ask Claude to write a simple Go program and then, in a subsequent step, attempt to run the program with restricted tools. If the bug is present, the second step might fail because Claude may attempt to use tools beyond the allowed Bash(go:*) subset, demonstrating that the allowed_tools setting was not correctly applied.

Expected Behavior

The expected behavior of the claude-code-action is that each invocation within a workflow should be treated as an independent execution context. This means that the allowed_tools parameter, when specified, should apply solely to the specific call in which it is configured and not affect other instances of the action within the same workflow run. In essence, the allowed_tools configuration should be isolated between different calls.

When the claude-code-action is called multiple times, each instance should:

• Respect its own allowed_tools: If an allowed_tools parameter is provided in a particular action call, Claude should only be permitted to use the tools explicitly listed in that configuration.
• Not inherit or override settings: The allowed_tools settings from one action call should not carry over to subsequent calls unless explicitly configured to do so (which is not the current design).
• Provide consistent behavior: Regardless of the number of times the action is called or the order in which it is invoked, the allowed_tools setting should consistently enforce the specified tool restrictions for each individual call.

In the context of the reproduction steps outlined earlier, the second call to claude-code-action with allowed_tools: Bash(go:*) should only allow Claude to execute go commands within Bash. Any attempt to use other tools, such as file system operations or network requests, should be blocked. If the bug is not present, the workflow should execute without permission errors related to tool usage.

Root Cause Analysis

The root cause of the bug lies in the way the claude-code-action handles environment variables related to tool permissions across multiple invocations. Specifically, the action exports environment variables such as ALLOWED_TOOLS and DISALLOWED_TOOLS, which influence Claude's behavior regarding tool usage. The problem arises because these environment variables are not properly scoped or reset between different calls to the action within the same workflow.

According to the provided logs and the identified code snippet from src/create-prompt/index.ts (https://github.com/anthropics/claude-code-action/blob/8fcb8e16b8c1353a2a862e146081ee0c2c254c0e/src/create-prompt/index.ts#L775-L776), the action likely appends to or modifies these environment variables globally within the workflow context. This means that when the first claude-code-action call executes, it sets or modifies ALLOWED_TOOLS and DISALLOWED_TOOLS. Subsequent calls then inherit these modified environment variables, rather than starting with a clean slate or using their own specified configurations. As a result, the allowed_tools parameter in later calls may be overridden or ignored due to the previously set environment variables.

For instance, if the first call sets ALLOWED_TOOLS to a broad set of tools, and the second call attempts to restrict it further, the restriction might not take effect because the environment variable already includes a wider range of tools. This explains why the second call might fail due to permission errors, as Claude might still attempt to use tools that were allowed in the first call but should have been restricted in the second.

To fix this, the action needs to ensure that environment variables related to tool permissions are properly scoped or reset before each invocation, preventing unintended interference between different calls.

Potential Solutions

To address the bug where allowed_tools does not take effect on subsequent calls in claude-code-action, several solutions can be implemented. These solutions focus on ensuring proper isolation of environment variables and configurations between different invocations of the action within a workflow.

1. Environment Variable Scoping

The most direct solution is to scope the ALLOWED_TOOLS and DISALLOWED_TOOLS environment variables to each individual action call. This can be achieved by:

• Setting Variables Locally: Instead of exporting the variables globally, set them within the context of each action call. GitHub Actions provides a mechanism to set environment variables for a specific step, which will not persist beyond that step. This ensures that each claude-code-action call has its own isolated set of tool permissions.
• Unsetting Variables: At the end of each action call, explicitly unset the ALLOWED_TOOLS and DISALLOWED_TOOLS environment variables. This prevents them from being inadvertently inherited by subsequent steps in the workflow.

2. Configuration Merging with Precedence

If the intention is to allow some level of inheritance or merging of tool permissions, a more sophisticated approach can be used:

• Read Existing Variables: Before setting ALLOWED_TOOLS and DISALLOWED_TOOLS, read any existing values from the environment.
• Merge Configurations: Merge the existing configurations with the allowed_tools parameter specified in the current action call. Ensure that the current call's allowed_tools setting takes precedence, allowing it to override or refine the inherited permissions.
• Set Scoped Variables: Set the merged configuration as a scoped environment variable for the current action call.

3. Input-Based Configuration

Another approach is to rely solely on input parameters for configuring tool permissions, avoiding environment variables altogether:

• Pass allowed_tools as Input: Ensure that the claude-code-action reads the allowed_tools configuration directly from the input parameters of each call.
• No Environment Variables: Eliminate the use of ALLOWED_TOOLS and DISALLOWED_TOOLS environment variables. This simplifies the configuration and avoids the scoping issues associated with environment variables.

4. Action Context Isolation

For a more robust solution, consider isolating the execution context of each claude-code-action call:

• Use a Separate Container: Run each action call in its own container. Containers provide a high degree of isolation, ensuring that environment variables and other configurations do not leak between calls.
• Define Context: Define a clear context for each action call, including the necessary environment variables and configurations. This prevents any unintended interference between different calls.

By implementing one or more of these solutions, the claude-code-action can be made more reliable and predictable, ensuring that the allowed_tools parameter functions correctly in all invocations within a workflow.

Conclusion

The bug identified in claude-code-action, where allowed_tools does not take effect on subsequent calls, poses a significant challenge to the consistent and secure execution of workflows. This article has provided a detailed exploration of the issue, from its initial description and reproduction steps to a thorough analysis of its root cause and potential solutions. By understanding that the problem stems from improper scoping of environment variables related to tool permissions, developers can appreciate the importance of implementing appropriate isolation mechanisms.

The suggested solutions, including environment variable scoping, configuration merging with precedence, input-based configuration, and action context isolation, offer a range of strategies to address the bug effectively. Implementing these solutions will not only resolve the immediate issue but also enhance the overall robustness and reliability of claude-code-action.

As the claude-code-action continues to evolve, addressing such bugs is crucial for maintaining the trust and confidence of users who rely on it for their CI/CD pipelines. The insights and solutions presented in this article serve as a valuable resource for developers and teams seeking to leverage claude-code-action effectively, ensuring that the tool operates as intended, with each invocation respecting its configured tool permissions. By prioritizing the isolation of configurations and the proper handling of environment variables, we can create a more dependable and secure environment for automated code generation and analysis.