fix: add Claude Code binary to GitHub Actions PATH (#455)

* Add GitHub token redaction to update_claude_comment tool

- Add redactGitHubTokens() function to sanitizer.ts that detects and redacts all GitHub token formats (ghp_, gho_, ghs_, ghr_, github_pat_)
- Update sanitizeContent() to include token redaction in the sanitization pipeline
- Apply sanitization to comment body in github-comment-server.ts before updating comments
- Add comprehensive tests covering all token formats, edge cases, and integration scenarios
- Prevents accidental exposure of GitHub tokens in PR/issue comments while preserving existing functionality

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Add GitHub token redaction to inline comment server

- Apply sanitizeContent() to comment body in github-inline-comment-server.ts before creating inline PR comments
- Ensures consistency in token redaction across all comment creation tools
- Prevents GitHub tokens from being exposed in inline PR review comments

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>

.github/workflows/claude.yml

@@ -36,4 +36,4 @@ jobs:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
           allowed_tools: "Bash(bun install),Bash(bun test:*),Bash(bun run format),Bash(bun typecheck)"
           custom_instructions: "You have also been granted tools for editing files and running bun commands (install, run, test, typecheck) for testing your changes: bun install, bun test, bun run format, bun typecheck."
-          model: "claude-opus-4-20250514"
+          model: "claude-opus-4-1-20250805"

README.md

@@ -14,6 +14,19 @@ A general-purpose [Claude Code](https://claude.ai/code) action for GitHub PRs an
 - 📋 **Progress Tracking**: Visual progress indicators with checkboxes that dynamically update as Claude completes tasks
 - 🏃 **Runs on Your Infrastructure**: The action executes entirely on your own GitHub runner (Anthropic API calls go to your chosen provider)
 
+## ⚠️ **BREAKING CHANGES COMING IN v1.0** ⚠️
+
+**We're planning a major update that will significantly change how this action works.** The new version will:
+
+- ✨ Automatically select the appropriate mode (no more `mode` input)
+- 🔧 Simplify configuration with unified `prompt` and `claude_args`
+- 🚀 Align more closely with the Claude Code SDK capabilities
+- 💥 Remove multiple inputs like `direct_prompt`, `custom_instructions`, and others
+
+**[→ Read the full v1.0 roadmap and provide feedback](https://github.com/anthropics/claude-code-action/discussions/428)**
+
+---
+
 ## Quickstart
 
 The easiest way to set up this action is through [Claude Code](https://claude.ai/code) in the terminal. Just open `claude` and run `/install-github-app`.

ROADMAP.md

@@ -10,7 +10,7 @@ Thank you for trying out the beta of our GitHub Action! This document outlines o
 - **Support for workflow_dispatch and repository_dispatch events** - Dispatch Claude on events triggered via API from other workflows or from other services
 - **Ability to disable commit signing** - Option to turn off GPG signing for environments where it's not required. This will enable Claude to use normal `git` bash commands for committing. This will likely become the default behavior once added.
 - **Better code review behavior** - Support inline comments on specific lines, provide higher quality reviews with more actionable feedback
-- **Support triggering @claude from bot users** - Allow automation and bot accounts to invoke Claude
+- ~**Support triggering @claude from bot users** - Allow automation and bot accounts to invoke Claude~
 - **Customizable base prompts** - Full control over Claude's initial context with template variables like `$PR_COMMENTS`, `$PR_FILES`, etc. Users can replace our default prompt entirely while still accessing key contextual data
 
 ---

action.yml

@@ -23,6 +23,10 @@ inputs:
     description: "The prefix to use for Claude branches (defaults to 'claude/', use 'claude-' for dash format)"
     required: false
     default: "claude/"
+  allowed_bots:
+    description: "Comma-separated list of allowed bot usernames, or '*' to allow all bots. Empty string (default) allows no bots."
+    required: false
+    default: ""
 
   # Mode configuration
   mode:
@@ -156,6 +160,7 @@ runs:
         OVERRIDE_PROMPT: ${{ inputs.override_prompt }}
         MCP_CONFIG: ${{ inputs.mcp_config }}
         OVERRIDE_GITHUB_TOKEN: ${{ inputs.github_token }}
+        ALLOWED_BOTS: ${{ inputs.allowed_bots }}
         GITHUB_RUN_ID: ${{ github.run_id }}
         USE_STICKY_COMMENT: ${{ inputs.use_sticky_comment }}
         DEFAULT_WORKFLOW_TOKEN: ${{ github.token }}
@@ -172,7 +177,8 @@ runs:
         echo "Base-action dependencies installed"
         cd -
         # Install Claude Code globally
-        bun install -g @anthropic-ai/claude-code@1.0.69
+        curl -fsSL https://claude.ai/install.sh | bash -s 1.0.83
+        echo "$HOME/.local/bin" >> "$GITHUB_PATH"
 
     - name: Setup Network Restrictions
       if: steps.prepare.outputs.contains_trigger == 'true' && inputs.experimental_allowed_domains != ''

base-action/README.md

@@ -69,7 +69,7 @@ Add the following to your workflow file:
   uses: anthropics/claude-code-base-action@beta
   with:
     prompt: "Review and fix TypeScript errors"
-    model: "claude-opus-4-20250514"
+    model: "claude-opus-4-1-20250805"
     fallback_model: "claude-sonnet-4-20250514"
     allowed_tools: "Bash(git:*),View,GlobTool,GrepTool,BatchTool"
     anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
@@ -217,7 +217,7 @@ Provide the settings configuration directly as a JSON string:
     prompt: "Your prompt here"
     settings: |
       {
-        "model": "claude-opus-4-20250514",
+        "model": "claude-opus-4-1-20250805",
         "env": {
           "DEBUG": "true",
           "API_URL": "https://api.example.com"

base-action/action.yml

@@ -118,7 +118,7 @@ runs:
 
     - name: Install Claude Code
       shell: bash
-      run: bun install -g @anthropic-ai/claude-code@1.0.69
+      run: curl -fsSL https://claude.ai/install.sh | bash -s 1.0.83
 
     - name: Run Claude Code Action
       shell: bash

base-action/test/setup-claude-code-settings.test.ts

@@ -134,7 +134,7 @@ describe("setupClaudeCodeSettings", () => {
     // Then, add new settings
     const newSettings = JSON.stringify({
       newKey: "newValue",
-      model: "claude-opus-4-20250514",
+      model: "claude-opus-4-1-20250805",
     });
 
     await setupClaudeCodeSettings(newSettings, testHomeDir);
@@ -145,7 +145,7 @@ describe("setupClaudeCodeSettings", () => {
     expect(settings.enableAllProjectMcpServers).toBe(true);
     expect(settings.existingKey).toBe("existingValue");
     expect(settings.newKey).toBe("newValue");
-    expect(settings.model).toBe("claude-opus-4-20250514");
+    expect(settings.model).toBe("claude-opus-4-1-20250805");
   });
 
   test("should copy slash commands to .claude directory when path provided", async () => {

docs/configuration.md

@@ -207,15 +207,8 @@ Claude does **not** have access to execute arbitrary Bash commands by default. I
 ```yaml
 - uses: anthropics/claude-code-action@beta
   with:
-    allowed_tools: |
-      Bash(npm install)
-      Bash(npm run test)
-      Edit
-      Replace
-      NotebookEditCell
-    disallowed_tools: |
-      TaskOutput
-      KillTask
+    allowed_tools: "Bash(npm install),Bash(npm run test),Edit,Replace,NotebookEditCell"
+    disallowed_tools: "TaskOutput,KillTask"
     # ... other inputs
 ```
 
@@ -252,7 +245,7 @@ You can provide Claude Code settings to customize behavior such as model selecti
   with:
     settings: |
       {
-        "model": "claude-opus-4-20250514",
+        "model": "claude-opus-4-1-20250805",
         "env": {
           "DEBUG": "true",
           "API_URL": "https://api.example.com"

docs/security.md

@@ -3,7 +3,7 @@
 ## Access Control
 
 - **Repository Access**: The action can only be triggered by users with write access to the repository
-- **No Bot Triggers**: GitHub Apps and bots cannot trigger this action
+- **Bot User Control**: By default, GitHub Apps and bots cannot trigger this action for security reasons. Use the `allowed_bots` parameter to enable specific bots or all bots
 - **Token Permissions**: The GitHub app receives only a short-lived token scoped specifically to the repository it's operating in
 - **No Cross-Repository Access**: Each action invocation is limited to the repository where it was triggered
 - **Limited Scope**: The token cannot access other repositories or perform actions beyond the configured permissions

docs/usage.md

@@ -42,6 +42,8 @@ jobs:
           # Optional: grant additional permissions (requires corresponding GitHub token permissions)
           # additional_permissions: |
           #   actions: read
+          # Optional: allow bot users to trigger the action
+          # allowed_bots: "dependabot[bot],renovate[bot]"
 ```
 
 ## Inputs
@@ -76,6 +78,7 @@ jobs:
 | `additional_permissions`       | Additional permissions to enable. Currently supports 'actions: read' for viewing workflow results                                     | No       | ""        |
 | `experimental_allowed_domains` | Restrict network access to these domains only (newline-separated).                                                                    | No       | ""        |
 | `use_commit_signing`           | Enable commit signing using GitHub's commit signature verification. When false, Claude uses standard git commands                     | No       | `false`   |
+| `allowed_bots`                 | Comma-separated list of allowed bot usernames, or '\*' to allow all bots. Empty string (default) allows no bots                       | No       | ""        |
 
 \*Required when using direct Anthropic API (default and when not using Bedrock or Vertex)
 

examples/claude.yml

@@ -1,4 +1,4 @@
-name: Claude PR Assistant
+name: Claude Code
 
 on:
   issue_comment:
@@ -11,38 +11,53 @@ on:
     types: [submitted]
 
 jobs:
-  claude-code-action:
+  claude:
     if: |
       (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
       (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
       (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
-      (github.event_name == 'issues' && contains(github.event.issue.body, '@claude'))
+      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
     runs-on: ubuntu-latest
     permissions:
-      contents: read
-      pull-requests: read
-      issues: read
+      contents: write
+      pull-requests: write
+      issues: write
       id-token: write
+      actions: read # Required for Claude to read CI results on PRs
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
           fetch-depth: 1
 
-      - name: Run Claude PR Action
+      - name: Run Claude Code
+        id: claude
         uses: anthropics/claude-code-action@beta
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
-          # Or use OAuth token instead:
-          # claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-          timeout_minutes: "60"
-          # mode: tag  # Default: responds to @claude mentions
-          # Optional: Restrict network access to specific domains only
-          # experimental_allowed_domains: |
-          #   .anthropic.com
-          #   .github.com
-          #   api.github.com
-          #   .githubusercontent.com
-          #   bun.sh
-          #   registry.npmjs.org
-          #   .blob.core.windows.net
+
+          # This is an optional setting that allows Claude to read CI results on PRs
+          additional_permissions: |
+            actions: read
+
+          # Optional: Specify model (defaults to Claude Sonnet 4, uncomment for Claude Opus 4.1)
+          # model: "claude-opus-4-1-20250805"
+
+          # Optional: Customize the trigger phrase (default: @claude)
+          # trigger_phrase: "/claude"
+
+          # Optional: Trigger when specific user is assigned to an issue
+          # assignee_trigger: "claude-bot"
+
+          # Optional: Allow Claude to run specific commands
+          # allowed_tools: "Bash(npm install),Bash(npm run build),Bash(npm run test:*),Bash(npm run lint:*)"
+
+          # Optional: Add custom instructions for Claude to customize its behavior for your project
+          # custom_instructions: |
+          #   Follow our coding standards
+          #   Ensure all new code has tests
+          #   Use TypeScript for new files
+
+          # Optional: Custom environment variables for Claude
+          # claude_env: |
+          #   NODE_ENV: test

src/github/context.ts

@@ -77,6 +77,7 @@ type BaseContext = {
     useStickyComment: boolean;
     additionalPermissions: Map<string, string>;
     useCommitSigning: boolean;
+    allowedBots: string;
   };
 };
 
@@ -136,6 +137,7 @@ export function parseGitHubContext(): GitHubContext {
         process.env.ADDITIONAL_PERMISSIONS ?? "",
       ),
       useCommitSigning: process.env.USE_COMMIT_SIGNING === "true",
+      allowedBots: process.env.ALLOWED_BOTS ?? "",
     },
   };
 

src/github/token.ts

@@ -78,7 +78,7 @@ export async function setupGitHubToken(): Promise<string> {
     return appToken;
   } catch (error) {
     core.setFailed(
-      `Failed to setup GitHub token: ${error}.\n\nIf you instead wish to use this action with a custom GitHub token or custom GitHub app, provide a \`github_token\` in the \`uses\` section of the app in your workflow yml file.`,
+      `Failed to setup GitHub token: ${error}\n\nIf you instead wish to use this action with a custom GitHub token or custom GitHub app, provide a \`github_token\` in the \`uses\` section of the app in your workflow yml file.`,
     );
     process.exit(1);
   }

src/github/utils/sanitizer.ts

@@ -58,6 +58,41 @@ export function sanitizeContent(content: string): string {
   content = stripMarkdownLinkTitles(content);
   content = stripHiddenAttributes(content);
   content = normalizeHtmlEntities(content);
+  content = redactGitHubTokens(content);
+  return content;
+}
+
+export function redactGitHubTokens(content: string): string {
+  // GitHub Personal Access Tokens (classic): ghp_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (40 chars)
+  content = content.replace(
+    /\bghp_[A-Za-z0-9]{36}\b/g,
+    "[REDACTED_GITHUB_TOKEN]",
+  );
+
+  // GitHub OAuth tokens: gho_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (40 chars)
+  content = content.replace(
+    /\bgho_[A-Za-z0-9]{36}\b/g,
+    "[REDACTED_GITHUB_TOKEN]",
+  );
+
+  // GitHub installation tokens: ghs_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (40 chars)
+  content = content.replace(
+    /\bghs_[A-Za-z0-9]{36}\b/g,
+    "[REDACTED_GITHUB_TOKEN]",
+  );
+
+  // GitHub refresh tokens: ghr_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (40 chars)
+  content = content.replace(
+    /\bghr_[A-Za-z0-9]{36}\b/g,
+    "[REDACTED_GITHUB_TOKEN]",
+  );
+
+  // GitHub fine-grained personal access tokens: github_pat_XXXXXXXXXX (up to 255 chars)
+  content = content.replace(
+    /\bgithub_pat_[A-Za-z0-9_]{11,221}\b/g,
+    "[REDACTED_GITHUB_TOKEN]",
+  );
+
   return content;
 }
 

src/github/validation/actor.ts

@@ -21,9 +21,42 @@ export async function checkHumanActor(
 
   console.log(`Actor type: ${actorType}`);
 
+  // Check bot permissions if actor is not a User
   if (actorType !== "User") {
+    const allowedBots = githubContext.inputs.allowedBots;
+
+    // Check if all bots are allowed
+    if (allowedBots.trim() === "*") {
+      console.log(
+        `All bots are allowed, skipping human actor check for: ${githubContext.actor}`,
+      );
+      return;
+    }
+
+    // Parse allowed bots list
+    const allowedBotsList = allowedBots
+      .split(",")
+      .map((bot) =>
+        bot
+          .trim()
+          .toLowerCase()
+          .replace(/\[bot\]$/, ""),
+      )
+      .filter((bot) => bot.length > 0);
+
+    const botName = githubContext.actor.toLowerCase().replace(/\[bot\]$/, "");
+
+    // Check if specific bot is allowed
+    if (allowedBotsList.includes(botName)) {
+      console.log(
+        `Bot ${botName} is in allowed list, skipping human actor check`,
+      );
+      return;
+    }
+
+    // Bot not allowed
     throw new Error(
-      `Workflow initiated by non-human actor: ${githubContext.actor} (type: ${actorType}).`,
+      `Workflow initiated by non-human actor: ${botName} (type: ${actorType}). Add bot to allowed_bots list or use '*' to allow all bots.`,
     );
   }
 

src/github/validation/permissions.ts

@@ -17,6 +17,12 @@ export async function checkWritePermissions(
   try {
     core.info(`Checking permissions for actor: ${actor}`);
 
+    // Check if the actor is a GitHub App (bot user)
+    if (actor.endsWith("[bot]")) {
+      core.info(`Actor is a GitHub App: ${actor}`);
+      return true;
+    }
+
     // Check permissions directly using the permission endpoint
     const response = await octokit.repos.getCollaboratorPermissionLevel({
       owner: repository.owner,

src/mcp/github-comment-server.ts

@@ -6,6 +6,7 @@ import { z } from "zod";
 import { GITHUB_API_URL } from "../github/api/config";
 import { Octokit } from "@octokit/rest";
 import { updateClaudeComment } from "../github/operations/comments/update-claude-comment";
+import { sanitizeContent } from "../github/utils/sanitizer";
 
 // Get repository information from environment variables
 const REPO_OWNER = process.env.REPO_OWNER;
@@ -54,11 +55,13 @@ server.tool(
       const isPullRequestReviewComment =
         eventName === "pull_request_review_comment";
 
+      const sanitizedBody = sanitizeContent(body);
+
       const result = await updateClaudeComment(octokit, {
         owner,
         repo,
         commentId,
-        body,
+        body: sanitizedBody,
         isPullRequestReviewComment,
       });
 

src/mcp/github-inline-comment-server.ts

@@ -3,6 +3,7 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { z } from "zod";
 import { createOctokit } from "../github/api/client";
+import { sanitizeContent } from "../github/utils/sanitizer";
 
 // Get repository and PR information from environment variables
 const REPO_OWNER = process.env.REPO_OWNER;
@@ -41,12 +42,14 @@ server.tool(
       ),
     line: z
       .number()
+      .nonnegative()
       .optional()
       .describe(
         "Line number for single-line comments (required if startLine is not provided)",
       ),
     startLine: z
       .number()
+      .nonnegative()
       .optional()
       .describe(
         "Start line for multi-line comments (use with line parameter for the end line)",
@@ -79,6 +82,9 @@ server.tool(
 
       const octokit = createOctokit(githubToken).rest;
 
+      // Sanitize the comment body to remove any potential GitHub tokens
+      const sanitizedBody = sanitizeContent(body);
+
       // Validate that either line or both startLine and line are provided
       if (!line && !startLine) {
         throw new Error(
@@ -102,7 +108,7 @@ server.tool(
         owner,
         repo,
         pull_number,
-        body,
+        body: sanitizedBody,
         path,
         side: side || "RIGHT",
         commit_id: commit_id || pr.data.head.sha,

src/modes/agent/index.ts

@@ -80,9 +80,8 @@ export const agentMode: Mode = {
       ...context.inputs.disallowedTools,
     ];
 
-    // Export as INPUT_ prefixed variables for the base action
-    core.exportVariable("INPUT_ALLOWED_TOOLS", allowedTools.join(","));
-    core.exportVariable("INPUT_DISALLOWED_TOOLS", disallowedTools.join(","));
+    core.exportVariable("ALLOWED_TOOLS", allowedTools.join(","));
+    core.exportVariable("DISALLOWED_TOOLS", disallowedTools.join(","));
 
     // Agent mode uses a minimal MCP configuration
     // We don't need comment servers or PR-specific tools for automation

src/modes/review/index.ts

@@ -103,6 +103,9 @@ export const reviewMode: Mode = {
       ? formatBody(contextData.body, imageUrlMap)
       : "No description provided";
 
+    // Using a variable for code blocks to avoid escaping backticks in the template string
+    const codeBlock = "```";
+
     return `You are Claude, an AI assistant specialized in code reviews for GitHub pull requests. You are operating in REVIEW MODE, which means you should focus on providing thorough code review feedback using GitHub MCP tools for inline comments and suggestions.
 
 <formatted_context>
@@ -155,17 +158,46 @@ REVIEW MODE WORKFLOW:
    - This provides the full context and latest state of the code
    - Look at the changed_files section above to see which files were modified
 
-2. Add comments:
-   - use Bash(gh issue comment:*) to add top-level comments
-   - Use mcp__github_inline_comment__create_inline_comment to add inline comments (prefer this where possible)
-   - Parameters:
-     * path: The file path (e.g., "src/index.js")
-     * line: Line number for single-line comments
-     * startLine & line: For multi-line comments (startLine is the first line, line is the last)
-     * side: "LEFT" (old code) or "RIGHT" (new code)
-     * subjectType: "line" for line-level comments
-     * body: Your comment text
+2. Create review comments using GitHub MCP tools:
+   - Use Bash(gh issue comment:*) for general PR-level comments
+   - Use mcp__github_inline_comment__create_inline_comment for line-specific feedback (strongly preferred)
    
+3. When creating inline comments with suggestions:
+   CRITICAL: GitHub's suggestion blocks REPLACE the ENTIRE line range you select
+   - For single-line comments: Use 'line' parameter only
+   - For multi-line comments: Use both 'startLine' and 'line' parameters
+   - The 'body' parameter should contain your comment and/or suggestion block
+   
+   How to write code suggestions correctly:
+   a) To remove a line (e.g., removing console.log on line 22):
+      - Set line: 22
+      - Body: ${codeBlock}suggestion
+      ${codeBlock}
+      (Empty suggestion block removes the line)
+   
+   b) To modify a single line (e.g., fixing line 22):
+      - Set line: 22  
+      - Body: ${codeBlock}suggestion
+      await this.emailInput.fill(email);
+      ${codeBlock}
+   
+   c) To replace multiple lines (e.g., lines 21-23):
+      - Set startLine: 21, line: 23
+      - Body must include ALL lines being replaced:
+      ${codeBlock}suggestion
+      async typeEmail(email: string): Promise<void> {
+          await this.emailInput.fill(email);
+      }
+      ${codeBlock}
+   
+   COMMON MISTAKE TO AVOID:
+   Never duplicate code in suggestions. For example, DON'T do this:
+   ${codeBlock}suggestion
+   async typeEmail(email: string): Promise<void> {
+   async typeEmail(email: string): Promise<void> {  // WRONG: Duplicate signature!
+       await this.emailInput.fill(email);
+   }
+   ${codeBlock}
 
 REVIEW GUIDELINES:
 
@@ -179,13 +211,11 @@ REVIEW GUIDELINES:
 
 - Provide:
   * Specific, actionable feedback
-  * Code suggestions when possible (following GitHub's format exactly)
-  * Clear explanations of issues
-  * Constructive criticism
+  * Code suggestions using the exact format described above
+  * Clear explanations of issues found
+  * Constructive criticism with solutions
   * Recognition of good practices
-  * For complex changes that require multiple modifications:
-    - Create separate comments for each logical change
-    - Or explain the full solution in text without a suggestion block
+  * For complex changes: Create separate inline comments for each logical change
 
 - Communication:
   * All feedback goes through GitHub's review system
@@ -267,9 +297,8 @@ This ensures users get value from the review even before checking individual inl
       ...context.inputs.disallowedTools,
     ];
 
-    // Export as INPUT_ prefixed variables for the base action
-    core.exportVariable("INPUT_ALLOWED_TOOLS", allowedTools.join(","));
-    core.exportVariable("INPUT_DISALLOWED_TOOLS", disallowedTools.join(","));
+    core.exportVariable("ALLOWED_TOOLS", allowedTools.join(","));
+    core.exportVariable("DISALLOWED_TOOLS", disallowedTools.join(","));
 
     const additionalMcpConfig = process.env.MCP_CONFIG || "";
     const mcpConfig = await prepareMcpConfig({

test/actor.test.ts

@@ -0,0 +1,96 @@
+#!/usr/bin/env bun
+
+import { describe, test, expect } from "bun:test";
+import { checkHumanActor } from "../src/github/validation/actor";
+import type { Octokit } from "@octokit/rest";
+import { createMockContext } from "./mockContext";
+
+function createMockOctokit(userType: string): Octokit {
+  return {
+    users: {
+      getByUsername: async () => ({
+        data: {
+          type: userType,
+        },
+      }),
+    },
+  } as unknown as Octokit;
+}
+
+describe("checkHumanActor", () => {
+  test("should pass for human actor", async () => {
+    const mockOctokit = createMockOctokit("User");
+    const context = createMockContext();
+    context.actor = "human-user";
+
+    await expect(
+      checkHumanActor(mockOctokit, context),
+    ).resolves.toBeUndefined();
+  });
+
+  test("should throw error for bot actor when not allowed", async () => {
+    const mockOctokit = createMockOctokit("Bot");
+    const context = createMockContext();
+    context.actor = "test-bot[bot]";
+    context.inputs.allowedBots = "";
+
+    await expect(checkHumanActor(mockOctokit, context)).rejects.toThrow(
+      "Workflow initiated by non-human actor: test-bot (type: Bot). Add bot to allowed_bots list or use '*' to allow all bots.",
+    );
+  });
+
+  test("should pass for bot actor when all bots allowed", async () => {
+    const mockOctokit = createMockOctokit("Bot");
+    const context = createMockContext();
+    context.actor = "test-bot[bot]";
+    context.inputs.allowedBots = "*";
+
+    await expect(
+      checkHumanActor(mockOctokit, context),
+    ).resolves.toBeUndefined();
+  });
+
+  test("should pass for specific bot when in allowed list", async () => {
+    const mockOctokit = createMockOctokit("Bot");
+    const context = createMockContext();
+    context.actor = "dependabot[bot]";
+    context.inputs.allowedBots = "dependabot[bot],renovate[bot]";
+
+    await expect(
+      checkHumanActor(mockOctokit, context),
+    ).resolves.toBeUndefined();
+  });
+
+  test("should pass for specific bot when in allowed list (without [bot])", async () => {
+    const mockOctokit = createMockOctokit("Bot");
+    const context = createMockContext();
+    context.actor = "dependabot[bot]";
+    context.inputs.allowedBots = "dependabot,renovate";
+
+    await expect(
+      checkHumanActor(mockOctokit, context),
+    ).resolves.toBeUndefined();
+  });
+
+  test("should throw error for bot not in allowed list", async () => {
+    const mockOctokit = createMockOctokit("Bot");
+    const context = createMockContext();
+    context.actor = "other-bot[bot]";
+    context.inputs.allowedBots = "dependabot[bot],renovate[bot]";
+
+    await expect(checkHumanActor(mockOctokit, context)).rejects.toThrow(
+      "Workflow initiated by non-human actor: other-bot (type: Bot). Add bot to allowed_bots list or use '*' to allow all bots.",
+    );
+  });
+
+  test("should throw error for bot not in allowed list (without [bot])", async () => {
+    const mockOctokit = createMockOctokit("Bot");
+    const context = createMockContext();
+    context.actor = "other-bot[bot]";
+    context.inputs.allowedBots = "dependabot,renovate";
+
+    await expect(checkHumanActor(mockOctokit, context)).rejects.toThrow(
+      "Workflow initiated by non-human actor: other-bot (type: Bot). Add bot to allowed_bots list or use '*' to allow all bots.",
+    );
+  });
+});

test/install-mcp-server.test.ts

@@ -37,6 +37,7 @@ describe("prepareMcpConfig", () => {
       useStickyComment: false,
       additionalPermissions: new Map(),
       useCommitSigning: false,
+      allowedBots: "",
     },
   };
 

test/mockContext.ts

@@ -28,6 +28,7 @@ const defaultInputs = {
   useStickyComment: false,
   additionalPermissions: new Map<string, string>(),
   useCommitSigning: false,
+  allowedBots: "",
 };
 
 const defaultRepository = {

test/modes/agent.test.ts

@@ -1,15 +1,29 @@
-import { describe, test, expect, beforeEach } from "bun:test";
+import { describe, test, expect, beforeEach, afterEach, spyOn } from "bun:test";
 import { agentMode } from "../../src/modes/agent";
 import type { GitHubContext } from "../../src/github/context";
 import { createMockContext, createMockAutomationContext } from "../mockContext";
+import * as core from "@actions/core";
 
 describe("Agent Mode", () => {
   let mockContext: GitHubContext;
+  let exportVariableSpy: any;
+  let setOutputSpy: any;
 
   beforeEach(() => {
     mockContext = createMockAutomationContext({
       eventName: "workflow_dispatch",
     });
+    exportVariableSpy = spyOn(core, "exportVariable").mockImplementation(
+      () => {},
+    );
+    setOutputSpy = spyOn(core, "setOutput").mockImplementation(() => {});
+  });
+
+  afterEach(() => {
+    exportVariableSpy?.mockClear();
+    setOutputSpy?.mockClear();
+    exportVariableSpy?.mockRestore();
+    setOutputSpy?.mockRestore();
   });
 
   test("agent mode has correct properties", () => {
@@ -56,4 +70,67 @@ describe("Agent Mode", () => {
       expect(agentMode.shouldTrigger(context)).toBe(false);
     });
   });
+
+  test("prepare method sets up tools environment variables correctly", async () => {
+    // Clear any previous calls before this test
+    exportVariableSpy.mockClear();
+    setOutputSpy.mockClear();
+
+    const contextWithCustomTools = createMockAutomationContext({
+      eventName: "workflow_dispatch",
+    });
+    contextWithCustomTools.inputs.allowedTools = ["CustomTool1", "CustomTool2"];
+    contextWithCustomTools.inputs.disallowedTools = ["BadTool"];
+
+    const mockOctokit = {} as any;
+    const result = await agentMode.prepare({
+      context: contextWithCustomTools,
+      octokit: mockOctokit,
+      githubToken: "test-token",
+    });
+
+    // Verify that both ALLOWED_TOOLS and DISALLOWED_TOOLS are set
+    expect(exportVariableSpy).toHaveBeenCalledWith(
+      "ALLOWED_TOOLS",
+      "Edit,MultiEdit,Glob,Grep,LS,Read,Write,CustomTool1,CustomTool2",
+    );
+    expect(exportVariableSpy).toHaveBeenCalledWith(
+      "DISALLOWED_TOOLS",
+      "WebSearch,WebFetch,BadTool",
+    );
+
+    // Verify MCP config is set
+    expect(setOutputSpy).toHaveBeenCalledWith("mcp_config", expect.any(String));
+
+    // Verify return structure
+    expect(result).toEqual({
+      commentId: undefined,
+      branchInfo: {
+        baseBranch: "",
+        currentBranch: "",
+        claudeBranch: undefined,
+      },
+      mcpConfig: expect.any(String),
+    });
+  });
+
+  test("prepare method creates prompt file with correct content", async () => {
+    const contextWithPrompts = createMockAutomationContext({
+      eventName: "workflow_dispatch",
+    });
+    contextWithPrompts.inputs.overridePrompt = "Custom override prompt";
+    contextWithPrompts.inputs.directPrompt =
+      "Direct prompt (should be ignored)";
+
+    const mockOctokit = {} as any;
+    await agentMode.prepare({
+      context: contextWithPrompts,
+      octokit: mockOctokit,
+      githubToken: "test-token",
+    });
+
+    // Note: We can't easily test file creation in this unit test,
+    // but we can verify the method completes without errors
+    expect(setOutputSpy).toHaveBeenCalledWith("mcp_config", expect.any(String));
+  });
 });

test/permissions.test.ts

@@ -73,6 +73,7 @@ describe("checkWritePermissions", () => {
       useStickyComment: false,
       additionalPermissions: new Map(),
       useCommitSigning: false,
+      allowedBots: "",
     },
   });
 
@@ -126,6 +127,16 @@ describe("checkWritePermissions", () => {
     );
   });
 
+  test("should return true for bot user", async () => {
+    const mockOctokit = createMockOctokit("none");
+    const context = createContext();
+    context.actor = "test-bot[bot]";
+
+    const result = await checkWritePermissions(mockOctokit, context);
+
+    expect(result).toBe(true);
+  });
+
   test("should throw error when permission check fails", async () => {
     const error = new Error("API error");
     const mockOctokit = {

test/sanitizer.test.ts

@@ -7,6 +7,7 @@ import {
   normalizeHtmlEntities,
   sanitizeContent,
   stripHtmlComments,
+  redactGitHubTokens,
 } from "../src/github/utils/sanitizer";
 
 describe("stripInvisibleCharacters", () => {
@@ -242,6 +243,109 @@ describe("sanitizeContent", () => {
   });
 });
 
+describe("redactGitHubTokens", () => {
+  it("should redact personal access tokens (ghp_)", () => {
+    const token = "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";
+    expect(redactGitHubTokens(`Token: ${token}`)).toBe(
+      "Token: [REDACTED_GITHUB_TOKEN]",
+    );
+    expect(redactGitHubTokens(`Here's a token: ${token} in text`)).toBe(
+      "Here's a token: [REDACTED_GITHUB_TOKEN] in text",
+    );
+  });
+
+  it("should redact OAuth tokens (gho_)", () => {
+    const token = "gho_16C7e42F292c6912E7710c838347Ae178B4a";
+    expect(redactGitHubTokens(`OAuth: ${token}`)).toBe(
+      "OAuth: [REDACTED_GITHUB_TOKEN]",
+    );
+  });
+
+  it("should redact installation tokens (ghs_)", () => {
+    const token = "ghs_xz7yzju2SZjGPa0dUNMAx0SH4xDOCS31LXQW";
+    expect(redactGitHubTokens(`Install token: ${token}`)).toBe(
+      "Install token: [REDACTED_GITHUB_TOKEN]",
+    );
+  });
+
+  it("should redact refresh tokens (ghr_)", () => {
+    const token = "ghr_1B4a2e77838347a253e56d7b5253e7d11667";
+    expect(redactGitHubTokens(`Refresh: ${token}`)).toBe(
+      "Refresh: [REDACTED_GITHUB_TOKEN]",
+    );
+  });
+
+  it("should redact fine-grained tokens (github_pat_)", () => {
+    const token =
+      "github_pat_11ABCDEFG0example5of9_2nVwvsylpmOLboQwTPTLewDcE621dQ0AAaBBCCDDEEFFHH";
+    expect(redactGitHubTokens(`Fine-grained: ${token}`)).toBe(
+      "Fine-grained: [REDACTED_GITHUB_TOKEN]",
+    );
+  });
+
+  it("should handle tokens in code blocks", () => {
+    const content = `\`\`\`bash
+export GITHUB_TOKEN=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
+\`\`\``;
+    const expected = `\`\`\`bash
+export GITHUB_TOKEN=[REDACTED_GITHUB_TOKEN]
+\`\`\``;
+    expect(redactGitHubTokens(content)).toBe(expected);
+  });
+
+  it("should handle multiple tokens in one text", () => {
+    const content =
+      "Token 1: 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 and token 2: gho_16C7e42F292c6912E7710c838347Ae178B4a";
+    expect(redactGitHubTokens(content)).toBe(
+      "Token 1: [REDACTED_GITHUB_TOKEN] and token 2: [REDACTED_GITHUB_TOKEN]",
+    );
+  });
+
+  it("should handle tokens in URLs", () => {
+    const content =
+      "https://api.github.com/user?access_token=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";
+    expect(redactGitHubTokens(content)).toBe(
+      "https://api.github.com/user?access_token=[REDACTED_GITHUB_TOKEN]",
+    );
+  });
+
+  it("should not redact partial matches or invalid tokens", () => {
+    const content =
+      "This is not a token: ghp_short or gho_toolong1234567890123456789012345678901234567890";
+    expect(redactGitHubTokens(content)).toBe(content);
+  });
+
+  it("should preserve normal text", () => {
+    const content = "Normal text with no tokens";
+    expect(redactGitHubTokens(content)).toBe(content);
+  });
+
+  it("should handle edge cases", () => {
+    expect(redactGitHubTokens("")).toBe("");
+    expect(redactGitHubTokens("ghp_")).toBe("ghp_");
+    expect(redactGitHubTokens("github_pat_short")).toBe("github_pat_short");
+  });
+});
+
+describe("sanitizeContent with token redaction", () => {
+  it("should redact tokens as part of full sanitization", () => {
+    const content = `
+      <!-- Hidden comment with token: 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 -->
+      Here's some text with a token: gho_16C7e42F292c6912E7710c838347Ae178B4a
+      And invisible chars: test\u200Btoken
+    `;
+
+    const sanitized = sanitizeContent(content);
+
+    expect(sanitized).not.toContain("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");
+    expect(sanitized).not.toContain("gho_16C7e42F292c6912E7710c838347Ae178B4a");
+    expect(sanitized).not.toContain("<!-- Hidden comment");
+    expect(sanitized).not.toContain("\u200B");
+    expect(sanitized).toContain("[REDACTED_GITHUB_TOKEN]");
+    expect(sanitized).toContain("Here's some text with a token:");
+  });
+});
+
 describe("stripHtmlComments (legacy)", () => {
   it("should remove HTML comments", () => {
     expect(stripHtmlComments("Hello <!-- example -->World")).toBe(

test/trigger-validation.test.ts

@@ -41,6 +41,7 @@ describe("checkContainsTrigger", () => {
           useStickyComment: false,
           additionalPermissions: new Map(),
           useCommitSigning: false,
+          allowedBots: "",
         },
       });
       expect(checkContainsTrigger(context)).toBe(true);
@@ -74,6 +75,7 @@ describe("checkContainsTrigger", () => {
           useStickyComment: false,
           additionalPermissions: new Map(),
           useCommitSigning: false,
+          allowedBots: "",
         },
       });
       expect(checkContainsTrigger(context)).toBe(false);
@@ -291,6 +293,7 @@ describe("checkContainsTrigger", () => {
           useStickyComment: false,
           additionalPermissions: new Map(),
           useCommitSigning: false,
+          allowedBots: "",
         },
       });
       expect(checkContainsTrigger(context)).toBe(true);
@@ -325,6 +328,7 @@ describe("checkContainsTrigger", () => {
           useStickyComment: false,
           additionalPermissions: new Map(),
           useCommitSigning: false,
+          allowedBots: "",
         },
       });
       expect(checkContainsTrigger(context)).toBe(true);
@@ -359,6 +363,7 @@ describe("checkContainsTrigger", () => {
           useStickyComment: false,
           additionalPermissions: new Map(),
           useCommitSigning: false,
+          allowedBots: "",
         },
       });
       expect(checkContainsTrigger(context)).toBe(false);