track_progress: true adds write tools that cannot be restricted via allowedTools

[vertti]

Summary

When using track_progress: true in claude-code-action, the action adds a significant number of write tools (Edit, MultiEdit, Write, git commands) that cannot be restricted via --allowedTools in claude_args. This is because the tools are merged, not overwritten.

This creates a security/permissions issue where users who intend to run Claude in read-only mode (e.g., for code review) unknowingly give Claude full write access.

Detailed Findings

1. track_progress: true Forces Tag Mode

File: src/modes/detector.ts:20-30

// If track_progress is set for PR/issue events, force tag mode
if (context.inputs.trackProgress && isEntityContext(context)) {
  if (isPullRequestEvent(context) || isIssuesEvent(context) || ...) {
    return "tag";  // Forces tag mode
  }
}

2. Tag Mode Adds Write Tools by Default

File: src/modes/tag/index.ts:149-182

Tag mode adds these tools by default:

Category	Tools
File Editing	Edit, MultiEdit, Write
File Reading	Glob, Grep, LS, Read
GitHub MCP	mcp__github_comment__update_claude_comment, mcp__github_ci__get_ci_status, mcp__github_ci__get_workflow_run_details, mcp__github_ci__download_job_log
Git Commands (default)	Bash(git add:*), Bash(git commit:*), Bash(git push:*), Bash(git status:*), Bash(git diff:*), Bash(git log:*), Bash(git rm:*)

Total: 18 tools including full file write and git commit access.

3. Tools Are MERGED, Not Overwritten

File: base-action/src/parse-sdk-options.ts:171-173

const mergedAllowedTools = [
  ...new Set([...extraArgsAllowedTools, ...directAllowedTools]),
];

This means users CANNOT restrict tools when using track_progress: true.

Example:

• Tag mode sets: Edit,MultiEdit,Write,Glob,Grep,...
• User sets: --allowedTools "Read,Glob,Grep" (hoping for read-only)
• Result: Union of both = Edit,MultiEdit,Write,Read,Glob,Grep,...

The user's restricted list is merged with tag mode's full list, giving Claude ALL tools.

Real-World Impact

Our code review workflow:

track_progress: true
claude_args: |
  --max-turns 25
  --allowedTools "mcp__github_inline_comment__*,Bash(gh pr *),Read,Glob,Grep"

Intended behavior: Read-only code review with inline comments
Actual behavior: Claude has full file edit access + git commit/push

Suggested Solutions

1. Document the behavior clearly - The README should explain that track_progress: true adds write tools and that --allowedTools is additive, not restrictive

2. Add a read-only progress tracking option - e.g., track_progress: "read-only" that adds only the comment update tool without file editing tools

3. Change merge behavior - When user specifies --allowedTools, treat it as the definitive list rather than merging

4. Separate comment tracking from file editing - The progress tracking feature (updating the Claude comment) doesn't inherently require file editing tools

Workaround

For now, users who want read-only access should:

• Remove track_progress: true
• Use agent mode (which passes through --allowedTools unchanged)
• Accept that they lose the progress comment updates

Environment

• claude-code-action version: v1 (latest)
• Event type: pull_request

[nbaju1]

track_progress: true should be a separate feature that both agent mode and tag mode could utilize. Coupling this parameter with tag mode seems to be done just because the code for tracking progress is located in the script for tag mode.