Fix npm script allowlist patterns in Claude workflows (#802)

rdimitrov · claude · web-flow · commit 3f5527e5baaa · 2026-04-23T11:49:41.000-04:00
PR #793 added `Bash(npm run prettier:*)` etc. to --allowed-tools, intending the wildcard to cover the `:fix` variants. It doesn't: in Claude Code's permission grammar, the `:*` suffix is aliased to a space-separated arg wildcard (Bash(foo:*) == Bash(foo *)), which enforces a word boundary. `npm run prettier:fix` has no space after `prettier` -- the `:fix` is part of the script name, not an arg -- so the pattern never matches and the command keeps prompting for approval. Replace the wildcarded patterns with explicit script names for the five scripts the workflows actually invoke (`build`, `prettier`, `prettier:fix`, `eslint`, `eslint:fix`). Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
@@ -61,4 +61,4 @@ jobs:
           additional_permissions: |
             actions: read
           claude_args: |
-            --allowed-tools "Bash(npm run build:*) Bash(npm run prettier:*) Bash(npm run eslint:*)"
+            --allowed-tools "Bash(npm run build) Bash(npm run prettier) Bash(npm run prettier:fix) Bash(npm run eslint) Bash(npm run eslint:fix)"
diff --git a/.github/workflows/upstream-release-docs.yml b/.github/workflows/upstream-release-docs.yml
@@ -558,7 +558,7 @@ jobs:
           claude_args: |
             --model claude-opus-4-7
             --max-turns 1000
-            --allowed-tools "Bash(gh:*) Bash(npm run build:*) Bash(npm run prettier:*) Bash(npm run eslint:*)"
+            --allowed-tools "Bash(gh:*) Bash(npm run build) Bash(npm run prettier) Bash(npm run prettier:fix) Bash(npm run eslint) Bash(npm run eslint:fix)"
           prompt: |
             You are running in GitHub Actions with no interactive user. Follow
             these steps exactly and do NOT ask clarifying questions -- proceed
@@ -752,7 +752,7 @@ jobs:
           claude_args: |
             --model claude-opus-4-7
             --max-turns 200
-            --allowed-tools "Bash(gh:*) Bash(npm run build:*) Bash(npm run prettier:*) Bash(npm run eslint:*)"
+            --allowed-tools "Bash(gh:*) Bash(npm run build) Bash(npm run prettier) Bash(npm run prettier:fix) Bash(npm run eslint) Bash(npm run eslint:fix)"
           prompt: |
             You are running in GitHub Actions with no interactive user. Follow
             these steps exactly and do NOT ask clarifying questions -- proceed
