Allow npm build/lint/format in Claude workflows#793
Merged
Conversation
Add npm run build, prettier, and eslint (including :fix variants) to the --allowed-tools allowlist in both the upstream-release-docs and @claude mention workflows, so agents can validate their own changes without hitting sandbox denials. The mention workflow also gains Node + deps via the shared ./.github/actions/setup composite, since it previously had no npm tooling at all. Clarify CLAUDE.md/AGENTS.md: the pre-commit hook silently no-ops in CI, unattended agents, and local environments without npm install, so agents should run prettier:fix and eslint:fix explicitly after editing content.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the repo’s Claude Code GitHub Actions workflows and agent guidance so Claude can run the project’s npm build/lint/format scripts in CI contexts where pre-commit hooks aren’t available.
Changes:
- Expand Claude’s
--allowed-toolsinupstream-release-docs.ymlto permitnpm run build/prettier/eslint(including:fixvariants). - Update the
@claudemention workflow to run the shared./.github/actions/setup(checkout + Node 24 + cached deps) and allow npm build/lint/format commands. - Revise
AGENTS.mdguidance to explicitly instruct runningnpm run prettier:fixandnpm run eslint:fixinstead of relying on pre-commit hooks.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| AGENTS.md | Updates agent guidance to manually run format/lint scripts when hooks don’t fire. |
| .github/workflows/upstream-release-docs.yml | Allows Claude to run npm build/lint/format scripts during upstream release doc generation/review. |
| .github/workflows/claude.yml | Adds repo+deps setup and permits npm build/lint/format execution for mention-triggered Claude runs. |
Comment on lines
+41
to
+42
| claude_args: | | ||
| --allowed-tools "Bash(npm run build:*) Bash(npm run prettier:*) Bash(npm run eslint:*)" |
Collaborator
Author
There was a problem hiding this comment.
@copilot this should be addressed now, re-check
Contributor
There was a problem hiding this comment.
Re-checked: this is addressed in 663249f. The workflow now gates @claude execution to OWNER/MEMBER/COLLABORATOR author associations before any npm-capable Bash tools can run.
The initial version of this workflow referenced `./.github/actions/setup` without a prior checkout, so GitHub couldn't resolve the local action. Add a sparse-checkout of `.github` just for action resolution; the composite does its own full checkout + Node + deps. Also gate the job on `author_association` per Copilot's review. Without this, an @claude mention on a fork PR that modified package.json scripts would run attacker-controlled code under our secrets and write permissions. Only OWNER/MEMBER/COLLABORATOR can trigger the workflow.
rdimitrov
approved these changes
Apr 22, 2026
2 tasks
rdimitrov
added a commit
that referenced
this pull request
Apr 23, 2026
PR #793 added `Bash(npm run prettier:*)` etc. to --allowed-tools, intending the wildcard to cover the `:fix` variants. It doesn't: in Claude Code's permission grammar, the `:*` suffix is aliased to a space-separated arg wildcard (Bash(foo:*) == Bash(foo *)), which enforces a word boundary. `npm run prettier:fix` has no space after `prettier` -- the `:fix` is part of the script name, not an arg -- so the pattern never matches and the command keeps prompting for approval. Replace the wildcarded patterns with explicit script names for the five scripts the workflows actually invoke (`build`, `prettier`, `prettier:fix`, `eslint`, `eslint:fix`). Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Two Claude Code workflows in this repo were missing the tooling needed to run the project's
npm run build,prettier, andeslintscripts:upstream-release-docs.ymlalready tried to run them (the skill's Phase 5 validation calls out "run the project's lint/format commands"), but the sandbox allowlist only exposedBash(gh:*). A dedicated post-step currently auto-fixes lint/format drift to cover the gap.claude.yml(the@claudemention flow) had no Node/deps setup at all and noclaude_args, so any mention-triggered edit to docs content would land unformatted and break PR CI.This PR:
Bash(npm run build:*) Bash(npm run prettier:*) Bash(npm run eslint:*)to--allowed-toolsin both workflows. Wildcarded patterns cover the:fixvariants../.github/actions/setupcomposite so Node 24 + cached deps are present before the Claude step runs.AGENTS.md(the source file behind theCLAUDE.mdsymlink) to stop telling Claude "the pre-commit hook handles formatting, don't run formatters manually." That's true only on a dev machine that has Node, deps, and husky set up. The hook silently no-ops in CI, scheduled agents, and local envs withoutnpm install, so the guidance now explicitly tells Claude to runprettier:fixandeslint:fixitself.The post-step autofix in
upstream-release-docs.ymlis intentionally left in place until we've seen the new allowlist work on a real release.Type of change
Related issues/PRs
None.
Submitter checklist
Content and formatting