claude-code-action

anthropics/claude-code-action

Fork 0

mirror of https://github.com/anthropics/claude-code-action.git synced 2026-01-23 06:54:13 +08:00

Commit Graph

Author	SHA1	Message	Date
km-anthropic	c7801e975c	bun format	2025-08-11 07:32:05 -07:00
km-anthropic	d5fbc80b71	Fix MCP tool availability and shell escaping in tag mode Pass MCP config and allowed tools through claude_args to ensure tools like mcp__github_comment__update_claude_comment are properly available to Claude CLI. Key changes: - Tag mode outputs claude_args with MCP config (as JSON string) and allowed tools - Fixed shell escaping vulnerability when JSON contains single quotes - Agent mode passes through user-provided claude_args unchanged - Re-added mcp_config input for users to provide custom MCP servers - Cleaned up misleading comments and unused file operations - Clarified test workflow is for fork testing Security fix: Properly escape single quotes in MCP config JSON to prevent shell injection vulnerabilities. Co-Authored-By: Claude <noreply@anthropic.com>	2025-08-11 06:42:03 -07:00

Author

SHA1

Message

Date

km-anthropic

c7801e975c

bun format

2025-08-11 07:32:05 -07:00

km-anthropic

d5fbc80b71

Fix MCP tool availability and shell escaping in tag mode

Pass MCP config and allowed tools through claude_args to ensure tools like
mcp__github_comment__update_claude_comment are properly available to Claude CLI.

Key changes:
- Tag mode outputs claude_args with MCP config (as JSON string) and allowed tools
- Fixed shell escaping vulnerability when JSON contains single quotes
- Agent mode passes through user-provided claude_args unchanged
- Re-added mcp_config input for users to provide custom MCP servers
- Cleaned up misleading comments and unused file operations
- Clarified test workflow is for fork testing

Security fix: Properly escape single quotes in MCP config JSON to prevent
shell injection vulnerabilities.

Co-Authored-By: Claude <noreply@anthropic.com>

2025-08-11 06:42:03 -07:00

2 Commits