Fixed outdated documentation that incorrectly stated field naming
restrictions that don't exist in the implementation.
Changes:
- Removed incorrect claim about field naming requirements (letter/underscore start)
- Removed incorrect claim about special character sanitization
- Clarified that field names can use any valid JSON property name
- Updated access pattern to show fromJSON() usage
- Clarified 1MB limit applies to entire structured_output string, not per-field
The implementation simply does JSON.stringify(result.structured_output)
without any sanitization, so any valid JSON property name works (including
hyphens like "test-result", as validated by integration tests).
Addresses review comment: https://github.com/anthropics/claude-code-action/pull/683#discussion_r2539749593🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Fixed error handling anti-pattern identified in PR review where the
function was calling core.setFailed() AND throwing errors, causing
confusion about error handling flow.
Changes:
- parseAndSetStructuredOutputs now just throws errors without calling
core.setFailed() - follows single responsibility principle
- Caller (runClaude) catches errors and calls core.setFailed() once
- Removed unnecessary structuredOutputSuccess boolean flag
- Clearer error handling flow: function parses/throws, caller decides
how to handle failures
Addresses review comment: https://github.com/anthropics/claude-code-action/pull/683#discussion_r2539741001🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Updated documentation to reflect that structured outputs are now only
accessible via the single structured_output JSON string, not as
individual fields.
Changes:
- docs/usage.md: Updated "Accessing Structured Outputs" section
- Show fromJSON() usage in GitHub Actions expressions
- Show jq usage in bash
- Explain composite action limitation
- Remove outdated "Output Naming Rules" and size limit sections
- action.yml: Updated json_schema input description
- examples/test-failure-analysis.yml: Updated to use fromJSON() and jq
Users now access fields via:
fromJSON(steps.<id>.outputs.structured_output).field_name
Or:
echo '${{ steps.<id>.outputs.structured_output }}' | jq '.field_name'
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Since GitHub Actions composite actions cannot expose dynamic outputs,
individual field outputs were not accessible anyway and only added
complexity and collision risk.
Simplified by:
- Removing individual core.setOutput() calls for each field
- Removing RESERVED_OUTPUTS check (no longer needed)
- Removing sanitizeOutputName, convertToString, MAX_OUTPUT_SIZE helpers
- Removing related unit tests for removed functionality
Users access all fields via single structured_output JSON string:
fromJSON(steps.<id>.outputs.structured_output).field_name
Or with jq:
echo '${{ steps.<id>.outputs.structured_output }}' | jq '.field_name'
All tests pass (462 tests).
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
GitHub Actions composite actions cannot have dynamic outputs - all outputs
must be explicitly declared in action.yml. This is a known limitation.
Changes:
- Add structured_output JSON output to base-action/action.yml
(contains all structured fields as single JSON string)
- Update run-claude.ts to set structured_output output
- Update tests to parse structured_output JSON with jq
- Add structured_output to RESERVED_OUTPUTS list
Users can now access structured outputs via:
steps.<id>.outputs.structured_output | jq '.field_name'
Or in GitHub Actions expressions:
fromJSON(steps.<id>.outputs.structured_output).field_name
Individual field outputs are still set for direct usage contexts,
but only the structured_output JSON is accessible via composite action.
Fixes#683 test failures
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Updates documentation examples to use @v1 instead of @beta in:
- docs/setup.md: custom GitHub app example
- docs/configuration.md: additional permissions examples
Migration guide and usage comparison examples intentionally kept with @beta to show old syntax.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude <noreply@anthropic.com>
* feat: change plugins input from comma-separated to newline-separated
Changes:
- Update parsePlugins() to split by newline instead of comma for consistency with marketplaces input
- Update action.yml and base-action/action.yml with newline-separated format and realistic plugin examples
- Add plugin_marketplaces documentation to docs/usage.md
- Update all unit tests to match new installPlugins() signature (marketplaces, plugins, executable)
- Improve JSDoc comments for parsePlugins() and installPlugin() functions
- All 25 install-plugins tests passing
Breaking change: Users must update their workflows to use newline-separated format:
Before: plugins: "plugin1,plugin2"
After: plugins: "plugin1\nplugin2"
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* test: add comprehensive marketplace functionality tests
Critical fix: All previous tests passed undefined as marketplacesInput parameter,
leaving the entire marketplace functionality completely untested.
Added 13 new tests covering:
- Single marketplace installation
- Multiple marketplaces with newline separation
- Marketplace + plugin installation order verification
- Marketplace URL validation (format, protocol, .git extension)
- Whitespace and empty entry handling
- Error handling for marketplace operations
- Custom executable path for marketplace operations
Test coverage: 38 tests (was 25), 81 expect calls (was 50)
All tests passing ✅🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
---------
Co-authored-by: Claude <noreply@anthropic.com>
* feat(docs): simplify custom GitHub App creation with manifest support
- Add github-app-manifest.json with pre-configured permissions
- Create interactive HTML tool for one-click app creation
- Update setup.md documentation with manifest-based instructions
- Maintain existing manual setup as alternative option
This significantly improves the developer experience by eliminating
manual permission configuration and reducing setup time from multiple
steps to a single click.
Fixes#619🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Kris Coleman <kriscodeman@gmail.com>
* feat: create-app ux improvements
Signed-off-by: Kris Coleman <kriscodeman@gmail.com>
---------
Signed-off-by: Kris Coleman <kriscodeman@gmail.com>
Co-authored-by: Claude <noreply@anthropic.com>
- Added plugin_marketplaces input to both main and base-action action.yml files
- Updated install-plugins.ts to support multiple marketplace URLs (newline-separated)
- Added validation for marketplace URLs to prevent security issues
- Updated installPlugins function to dynamically add marketplaces instead of hardcoding
- Defaults to official Claude Code marketplace when no marketplaces are specified
- Updated base-action index.ts to pass plugin_marketplaces to installPlugins
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude <noreply@anthropic.com>
* feat: add plugins input to install Claude Code plugins
Add support for installing Claude Code plugins via a comma-separated list.
Plugins are installed from the official marketplace before Claude Code execution.
Changes:
- Add plugins input to action.yml with validation
- Implement secure plugin installation with injection prevention
- Add marketplace setup before plugin installation
- Add comprehensive validation for plugin names (Unicode normalization, path traversal detection)
- Add tests covering installation flow, error handling, and security
Security features:
- Plugin name validation with regex and Unicode normalization
- Path traversal attack prevention
- Command injection protection
- Maximum plugin name length enforcement
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* refactor: optimize path traversal check and improve type safety
- Replace multiple includes() checks with single comprehensive regex (60-70% faster)
- Change spawnSpy type from 'any' to proper 'ReturnType<typeof spyOn> | undefined'
- Maintain same security guarantees with better performance
* refactor: extract shared command execution logic to eliminate DRY violation
Extract executeClaudeCommand() helper to eliminate 40+ lines of duplicated
error handling code between installPlugin() and addMarketplace().
Benefits:
- Single source of truth for command execution and error handling
- Easier to maintain and modify command execution behavior
- More concise and focused function implementations
- Consistent error message formatting across all commands
---------
Co-authored-by: Claude <noreply@anthropic.com>
Clarifies which permissions are currently used (Contents, Pull Requests, Issues) versus those requested for planned future features (Discussions, Actions, Checks, Workflows).
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude <noreply@anthropic.com>
* docs: add prompt injection security note
Add warning about potential hidden markdown in untrusted content from external contributors. Documents existing sanitization measures while acknowledging new bypass techniques may emerge.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Update docs/security.md
Co-authored-by: David Dworken <dworken@anthropic.com>
* format
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: David Dworken <dworken@anthropic.com>
