anthropics/claude-code-action
1
0
Fork 0
mirror of https://github.com/anthropics/claude-code-action.git synced 2026-01-22 22:44:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix MCP tool availability and shell escaping in tag mode

Browse Source 
Pass MCP config and allowed tools through claude_args to ensure tools like
mcp__github_comment__update_claude_comment are properly available to Claude CLI.

Key changes:
- Tag mode outputs claude_args with MCP config (as JSON string) and allowed tools
- Fixed shell escaping vulnerability when JSON contains single quotes
- Agent mode passes through user-provided claude_args unchanged
- Re-added mcp_config input for users to provide custom MCP servers
- Cleaned up misleading comments and unused file operations
- Clarified test workflow is for fork testing

Security fix: Properly escape single quotes in MCP config JSON to prevent
shell injection vulnerabilities.

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
km-anthropic
2025-08-11 06:42:03 -07:00
parent 5bdb1e4ae0
commit d5fbc80b71
5 changed files with 96 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
action.yml
View File

@@ -65,6 +65,10 @@ inputs:
description: "Additional arguments to pass directly to Claude CLI"
required: false
default: ""
mcp_config:
description: "Additional MCP configuration (JSON string) that merges with built-in GitHub MCP servers"
required: false
default: ""
additional_permissions:
description: "Additional GitHub permissions to request (e.g., 'actions: read')"
required: false
@@ -124,6 +128,8 @@ runs:
DEFAULT_WORKFLOW_TOKEN: ${{ github.token }}
USE_COMMIT_SIGNING: ${{ inputs.use_commit_signing }}
ADDITIONAL_PERMISSIONS: ${{ inputs.additional_permissions }}
CLAUDE_ARGS: ${{ inputs.claude_args }}
MCP_CONFIG: ${{ inputs.mcp_config }}
- name: Install Base Action Dependencies
if: steps.prepare.outputs.contains_trigger == 'true'
@@ -160,7 +166,7 @@ runs:
INPUT_PROMPT_FILE: ${{ runner.temp }}/claude-prompts/claude-prompt.txt
INPUT_SETTINGS: ${{ inputs.settings }}
INPUT_TIMEOUT_MINUTES: ${{ inputs.timeout_minutes }}
INPUT_CLAUDE_ARGS: ${{ steps.prepare.outputs.mcp_config_file && format('--mcp-config {0} {1}', steps.prepare.outputs.mcp_config_file, inputs.claude_args) || inputs.claude_args }}
INPUT_CLAUDE_ARGS: ${{ steps.prepare.outputs.claude_args }}
INPUT_EXPERIMENTAL_SLASH_COMMANDS_DIR: ${{ github.action_path }}/slash-commands
# Model configuration