anthropics/claude-code-action
1
0
Fork 0
mirror of https://github.com/anthropics/claude-code-action.git synced 2026-01-23 23:14:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix MCP tool availability and shell escaping in tag mode

Browse Source 
Pass MCP config and allowed tools through claude_args to ensure tools like
mcp__github_comment__update_claude_comment are properly available to Claude CLI.

Key changes:
- Tag mode outputs claude_args with MCP config (as JSON string) and allowed tools
- Fixed shell escaping vulnerability when JSON contains single quotes
- Agent mode passes through user-provided claude_args unchanged
- Re-added mcp_config input for users to provide custom MCP servers
- Cleaned up misleading comments and unused file operations
- Clarified test workflow is for fork testing

Security fix: Properly escape single quotes in MCP config JSON to prevent
shell injection vulnerabilities.

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
km-anthropic
2025-08-11 06:42:03 -07:00
parent 5bdb1e4ae0
commit d5fbc80b71
5 changed files with 96 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/modes/agent/index.ts
View File

@@ -79,7 +79,9 @@ export const agentMode: Mode = {
}
}
core.setOutput("mcp_config", JSON.stringify(mcpConfig));
// Agent mode: pass through user's claude_args without modification
const userClaudeArgs = process.env.CLAUDE_ARGS || "";
core.setOutput("claude_args", userClaudeArgs);
return {
commentId: undefined,