Skip to content

Fix npm script allowlist patterns in Claude workflows#802

Merged
rdimitrov merged 1 commit intomainfrom
fix-npm-allowlist-patterns
Apr 23, 2026
Merged

Fix npm script allowlist patterns in Claude workflows#802
rdimitrov merged 1 commit intomainfrom
fix-npm-allowlist-patterns

Conversation

@rdimitrov
Copy link
Copy Markdown
Member

@rdimitrov rdimitrov commented Apr 23, 2026

Description

PR #793 added Bash(npm run prettier:*) / Bash(npm run eslint:*) / Bash(npm run build:*) to --allowed-tools in claude.yml and upstream-release-docs.yml, intending the :* suffix to cover the :fix script variants as a wildcard. It doesn't.

In Claude Code's Bash permission grammar, :* is aliased to a space-separated argument wildcard: Bash(foo:*) == Bash(foo *). The space enforces a word boundary. From the Claude Code permissions docs:

The :* suffix is an equivalent way to write a trailing wildcard, so Bash(ls:*) matches the same commands as Bash(ls *).
The space before * matters: Bash(ls *) matches ls -la but not lsof.

So Bash(npm run prettier:*) matches npm run prettier --foo (with a space before the arg) but not npm run prettier:fix, because :fix is part of the script name, not an argument — the permission matcher sees npm run prettier:fix as one token.

Fix: replace the wildcarded patterns with explicit script names for the five scripts these workflows actually invoke (build, prettier, prettier:fix, eslint, eslint:fix, all declared in package.json). Bash(gh:*) in upstream-release-docs.yml stays as-is — gh is a real CLI with real subcommands, so the arg wildcard is correct there.

Reported by @danbarr watching the 0.24.1 docs PR — npm run prettier:fix was still prompting "This command requires approval" despite the allowlist entry.

Type of change

  • Bug fix (typo, broken link, etc.)

Related issues/PRs

Follow-up to #793.

Test plan

  • @claude mention a PR and ask Claude to run npm run prettier:fix — command should auto-approve.
  • On the next upstream release PR, confirm the skill's internal npm run eslint:fix call runs without approval prompts.

🤖 Generated with Claude Code

@rdimitrov @claude
Fix npm script allowlist patterns in Claude workflows
825aab2 
PR #793 added `Bash(npm run prettier:*)` etc. to --allowed-tools,
intending the wildcard to cover the `:fix` variants. It doesn't:
in Claude Code's permission grammar, the `:*` suffix is aliased to
a space-separated arg wildcard (Bash(foo:*) == Bash(foo *)), which
enforces a word boundary. `npm run prettier:fix` has no space after
`prettier` -- the `:fix` is part of the script name, not an arg --
so the pattern never matches and the command keeps prompting for
approval.

Replace the wildcarded patterns with explicit script names for the
five scripts the workflows actually invoke (`build`, `prettier`,
`prettier:fix`, `eslint`, `eslint:fix`).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings April 23, 2026 15:46
@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 23, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs-website Ready Ready Preview, Comment Apr 23, 2026 3:46pm

Request Review

Copilot AI reviewed Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes Claude Code workflow tool allowlist patterns so npm run <script>:fix commands are correctly auto-approved by switching from the :* suffix (argument wildcard) to explicit npm script names.

Changes:

  • Replace Bash(npm run <script>:*) entries with explicit Bash(npm run <script>) and Bash(npm run <script>:fix) allowlist entries.
  • Apply the allowlist fix to both the upstream release docs workflow and the @claude mention workflow.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.github/workflows/upstream-release-docs.yml Updates Claude Code --allowed-tools to explicitly allow build, prettier, prettier:fix, eslint, eslint:fix for both skill invocations.
.github/workflows/claude.yml Updates the mention-triggered Claude Code workflow --allowed-tools to explicitly allow the same npm scripts.

@rdimitrov rdimitrov merged commit 3f5527e into main Apr 23, 2026
8 checks passed
@rdimitrov rdimitrov deleted the fix-npm-allowlist-patterns branch April 23, 2026 15:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@danbarr danbarr danbarr approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rdimitrov @danbarr