Add allowed_tools input parameter and enable MCP file ops for agent mode

- Add allowed_tools input to action.yml so workflows can specify allowed tools
- Pass allowed_tools to prepare step via environment variable
- Update agent mode to use allowed_tools when building claude_args
- Add GitHub file ops MCP server to agent mode when use_commit_signing is enabled
- This allows agent mode (used by auto-fix workflows) to write and commit files

.claude/commands/fix-ci-commit.md

@@ -1,5 +1,6 @@
 ---
 description: Fix CI failures and commit changes (for use when branch already exists)
+allowed_tools: "*"
 ---
 
 # Fix CI Failures and Commit
@@ -30,20 +31,18 @@ Based on the error logs:
 
 After fixing ALL issues, you MUST:
 
-```bash
+Use the `mcp__github_file_ops__commit_files` tool to commit all your changes with a descriptive message like:
-# Stage all changes
-git add -A
 
-# Commit with descriptive message
+```
-git commit -m "Fix CI failures
+Fix CI failures
 
 - Fixed syntax errors
 - Fixed formatting issues  
 - Fixed test failures
-[List actual fixes made]"
+[List actual fixes made]
 ```
 
-**IMPORTANT**: You MUST use the Bash tool to run the git add and git commit commands above. The workflow expects you to commit your changes.
+**IMPORTANT**: You MUST use the MCP file ops tool to commit your changes. The workflow expects you to commit your changes.
 
 ### 3. Verify (Optional)
 

.claude/commands/fix-ci.md

@@ -1,5 +1,6 @@
 ---
 description: Analyze and fix CI failures by examining logs and making targeted fixes
+allowed_tools: "*"
 ---
 
 # Fix CI Failures
@@ -41,11 +42,11 @@ Requirements:
 
 ## Step 4: Commit Changes
 
-After applying ALL fixes, use the Bash tool to:
+After applying ALL fixes:
-1. Run: `git add -A` to stage all modified files
+1. Use the `mcp__github_file_ops__commit_files` tool to commit your changes
-2. Run: `git commit -m "Fix CI failures: <description>"` to commit the changes
+2. Include a descriptive commit message explaining what was fixed
-3. Include details about which CI jobs/tests were fixed in the commit message
+3. Document which CI jobs/tests were addressed in the commit message
-4. Important: You MUST use the Bash tool to run these git commands to commit your changes
+4. Important: Use the MCP file ops tool, not git commands directly
 
 ## Step 5: Verify Fixes Locally
 

.github/workflows/auto-fix-ci-inline.yml

@@ -78,7 +78,7 @@ jobs:
             };
 
       - name: Fix CI failures with Claude
-        uses: km-anthropic/claude-code-action@v1-dev
+        uses: anthropics/claude-code-action@v1-dev
         with:
           prompt: |
             You are tasked with analyzing CI failure logs and fixing the issues. Follow these steps:
@@ -147,6 +147,8 @@ jobs:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           timeout_minutes: "30"
           use_sticky_comment: "true"
+          use_commit_signing: "true"
+          allowed_tools: "Edit,MultiEdit,Write,Read,Glob,Grep,LS,Bash,mcp__github_file_ops__commit_files,mcp__github_file_ops__delete_files"
           claude_args: "--max-turns 15"
 
       - name: Push fix branch
@@ -163,7 +165,7 @@ jobs:
             const baseBranch = '${{ github.event.workflow_run.head_branch }}';
             const prUrl = `https://github.com/${context.repo.owner}/${context.repo.repo}/compare/${baseBranch}...${branchName}?quick_pull=1`;
             
-            const issueNumber = ${{ github.event.workflow_run.pull_requests[0]?.number || 'null' }};
+            const issueNumber = ${{ github.event.workflow_run.pull_requests[0] && github.event.workflow_run.pull_requests[0].number || 'null' }};
             
             if (issueNumber) {
               await github.rest.issues.createComment({

.github/workflows/auto-fix-ci.yml

@@ -77,7 +77,7 @@ jobs:
             };
 
       - name: Fix CI failures with Claude
-        uses: km-anthropic/claude-code-action@v1-dev
+        uses: anthropics/claude-code-action@v1-dev
         with:
           prompt: |
             /fix-ci-commit Failed CI Run: ${{ fromJSON(steps.failure_details.outputs.result).runUrl }}
@@ -89,6 +89,8 @@ jobs:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           timeout_minutes: "30"
           use_sticky_comment: "true"
+          use_commit_signing: "true"
+          allowed_tools: "Edit,MultiEdit,Write,Read,Glob,Grep,LS,Bash,mcp__github_file_ops__commit_files,mcp__github_file_ops__delete_files"
           claude_args: "--max-turns 15"
 
       - name: Push fix branch
@@ -105,7 +107,7 @@ jobs:
             const baseBranch = '${{ github.event.workflow_run.head_branch }}';
             const prUrl = `https://github.com/${context.repo.owner}/${context.repo.repo}/compare/${baseBranch}...${branchName}?quick_pull=1`;
             
-            const issueNumber = ${{ github.event.workflow_run.pull_requests[0]?.number || 'null' }};
+            const issueNumber = ${{ github.event.workflow_run.pull_requests[0] && github.event.workflow_run.pull_requests[0].number || 'null' }};
             
             if (issueNumber) {
               await github.rest.issues.createComment({

action.yml

@@ -81,6 +81,10 @@ inputs:
     description: "Enable commit signing using GitHub's commit signature verification. When false, Claude uses standard git commands"
     required: false
     default: "false"
+  allowed_tools:
+    description: "Comma-separated list of tools to allow Claude to use (e.g., 'Edit,MultiEdit,Write,Read'). If not set, mode defaults apply."
+    required: false
+    default: ""
   experimental_allowed_domains:
     description: "Restrict network access to these domains only (newline-separated). If not set, no restrictions are applied. Provider domains are auto-detected."
     required: false
@@ -130,6 +134,7 @@ runs:
         ADDITIONAL_PERMISSIONS: ${{ inputs.additional_permissions }}
         CLAUDE_ARGS: ${{ inputs.claude_args }}
         MCP_CONFIG: ${{ inputs.mcp_config }}
+        ALLOWED_TOOLS: ${{ inputs.allowed_tools }}
 
     - name: Install Base Action Dependencies
       if: steps.prepare.outputs.contains_trigger == 'true'

slash-commands/fix-ci-commit.md

@@ -1,5 +1,6 @@
 ---
 description: Fix CI failures and commit changes (for use when branch already exists)
+allowed_tools: "*"
 ---
 
 # Fix CI Failures and Commit
@@ -30,20 +31,18 @@ Based on the error logs:
 
 After fixing ALL issues, you MUST:
 
-```bash
+Use the `mcp__github_file_ops__commit_files` tool to commit all your changes with a descriptive message like:
-# Stage all changes
-git add -A
 
-# Commit with descriptive message
+```
-git commit -m "Fix CI failures
+Fix CI failures
 
 - Fixed syntax errors
 - Fixed formatting issues  
 - Fixed test failures
-[List actual fixes made]"
+[List actual fixes made]
 ```
 
-**IMPORTANT**: You MUST use the Bash tool to run the git add and git commit commands above. The workflow expects you to commit your changes.
+**IMPORTANT**: You MUST use the MCP file ops tool to commit your changes. The workflow expects you to commit your changes.
 
 ### 3. Verify (Optional)
 

slash-commands/fix-ci.md

@@ -1,5 +1,6 @@
 ---
 description: Analyze and fix CI failures by examining logs and making targeted fixes
+allowed_tools: "*"
 ---
 
 # Fix CI Failures
@@ -42,10 +43,10 @@ Requirements:
 ## Step 4: Commit Changes
 
 After applying fixes:
-1. Stage all modified files with `git add -A` or `git add .`
+1. Use the `mcp__github_file_ops__commit_files` tool to commit your changes
-2. Commit with a descriptive message using `git commit -m "Fix CI failures: <description>"`
+2. Include a descriptive commit message explaining what was fixed
-3. Include details about which CI jobs/tests were fixed in the commit message
+3. Document which CI jobs/tests were addressed in the commit message
-4. Important: Always commit your changes even if you're already on a branch
+4. Important: Use the MCP file ops tool to commit your changes
 
 ## Step 5: Verify Fixes Locally
 

src/modes/agent/index.ts

@@ -83,6 +83,29 @@ export const agentMode: Mode = {
       },
     };
 
+    // Add GitHub file ops server when using commit signing
+    if (context.inputs?.useCommitSigning) {
+      mcpConfig.mcpServers["github-file-ops-server"] = {
+        command: "bun",
+        args: [
+          "run",
+          `${process.env.GITHUB_ACTION_PATH}/src/mcp/github-file-ops-server.ts`,
+        ],
+        env: {
+          GITHUB_TOKEN: githubToken || "",
+          REPO_OWNER: context.repository.owner,
+          REPO_NAME: context.repository.repo,
+          BRANCH_NAME: "", // Agent mode doesn't pre-create branches
+          BASE_BRANCH: "",
+          REPO_DIR: process.env.GITHUB_WORKSPACE || process.cwd(),
+          GITHUB_EVENT_NAME: process.env.GITHUB_EVENT_NAME || "",
+          IS_PR: "false", // Agent mode doesn't create PRs by default
+          GITHUB_API_URL:
+            process.env.GITHUB_API_URL || "https://api.github.com",
+        },
+      };
+    }
+
     // Add user-provided additional MCP config if any
     const additionalMcpConfig = process.env.MCP_CONFIG || "";
     if (additionalMcpConfig.trim()) {
@@ -101,12 +124,23 @@ export const agentMode: Mode = {
       }
     }
 
-    // Agent mode: pass through user's claude_args with MCP config
+    // Agent mode: pass through user's claude_args with MCP config and allowed_tools
     const userClaudeArgs = process.env.CLAUDE_ARGS || "";
+    const userAllowedTools = process.env.ALLOWED_TOOLS || "";
     const escapedMcpConfig = JSON.stringify(mcpConfig).replace(/'/g, "'\\''");
-    const claudeArgs =
+    let claudeArgs = `--mcp-config '${escapedMcpConfig}'`;
-      `--mcp-config '${escapedMcpConfig}' ${userClaudeArgs}`.trim();
+    
-    core.setOutput("claude_args", claudeArgs);
+    // Add allowed_tools if specified
+    if (userAllowedTools) {
+      claudeArgs += ` --allowedTools "${userAllowedTools}"`;
+    }
+    
+    // Add user's additional claude_args
+    if (userClaudeArgs) {
+      claudeArgs += ` ${userClaudeArgs}`;
+    }
+    
+    core.setOutput("claude_args", claudeArgs.trim());
 
     return {
       commentId: undefined,

test-failure.ts

@@ -1,5 +1,5 @@
 // This file intentionally has TypeScript errors to trigger CI failure
-// Updated to trigger new workflow run
+// Testing auto-fix with MCP file ops enabled
 const testFunction = (param: string): number => {
   // Type error: returning string instead of number
   return "this should be a number";