Stop Slack notify step from loading project config#998
Merged
Conversation
claude-code-action defaults to settingSources user+project+local, so the checkout step (added for restoreConfigFromBase) pulls this repo's CLAUDE.md and .claude/ into context. That config describes unrelated doc-review workflows the tool allowlist denies, which likely explains the persistent permission denials even after the allowedTools fix. Scope this step to user settings only.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR scopes the Slack notify workflow’s Claude Code step to user-level settings only, to prevent it from loading in-repo Claude configuration (CLAUDE.md / .claude/) that can cause unnecessary tool attempts and permission denials. It aligns the workflow with the action’s documented approach for avoiding unrelated project config when the step’s job is narrowly to summarize gh pr view output into a JSON file.
Changes:
- Add
--setting-sources userto theclaude_argsfor the “Compose reviewer summary” step. - Document (in inline comments) why project/local setting sources are intentionally excluded for this step.
rdimitrov
approved these changes
Jun 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Follow-up to #997. The allowedTools fix in #997 is confirmed working (
"allowedTools": ["Bash(gh:*)", "Write"]parses correctly now), but permission denials are still high: 19 denials on a run that succeeded (29/30 turns), 21 and 24 on two that hit the max-turns cap.I couldn't get a full per-turn transcript to confirm definitively.
gh run rerun --debugonly adds the GitHub Actions runner's own##[debug]lines; claude-code-action's "Run Claude Code Action" composite step defines its own explicitenv:block inaction.yml, which doesn't forwardACTIONS_STEP_DEBUGinto the Bun subprocess, soshow_full_outputnever actually flips on that way.The strongest remaining lead:
settingSourcesdefaults to["user", "project", "local"]. The checkout step added in #996 (needed for claude-code-action'srestoreConfigFromBase) means this repo'sCLAUDE.mdand.claude/(agents, commands, skills) are now present in the working directory and get loaded as project context. None of that is relevant to this step, whose only job is to read one PR viagh pr viewand write a JSON file, and the action's own docs call out--setting-sources useras the documented way to avoid pulling in unrelated in-repo config. Scoping this step to user-level settings only should stop Claude from wandering into tool calls the allowlist denies.This isn't a fully confirmed fix since I couldn't capture the transcript, so worth watching the next real
ready_for_reviewtrigger to see if denials drop.Type of change
Related issues/PRs
Follow-up to #994, #995, #996, #997
Submitter checklist
Content and formatting
Reviewer checklist
Content