From 825aab25a523591e79e60e1f6dddd60a32c27582 Mon Sep 17 00:00:00 2001
From: Radoslav Dimitrov <radoslav@stacklok.com>
Date: Thu, 23 Apr 2026 18:45:45 +0300
Subject: [PATCH] Fix npm script allowlist patterns in Claude workflows

PR #793 added `Bash(npm run prettier:*)` etc. to --allowed-tools,
intending the wildcard to cover the `:fix` variants. It doesn't:
in Claude Code's permission grammar, the `:*` suffix is aliased to
a space-separated arg wildcard (Bash(foo:*) == Bash(foo *)), which
enforces a word boundary. `npm run prettier:fix` has no space after
`prettier` -- the `:fix` is part of the script name, not an arg --
so the pattern never matches and the command keeps prompting for
approval.

Replace the wildcarded patterns with explicit script names for the
five scripts the workflows actually invoke (`build`, `prettier`,
`prettier:fix`, `eslint`, `eslint:fix`).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/claude.yml                | 2 +-
 .github/workflows/upstream-release-docs.yml | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
index 6f310c55..1676d265 100644
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -61,4 +61,4 @@ jobs:
           additional_permissions: |
             actions: read
           claude_args: |
-            --allowed-tools "Bash(npm run build:*) Bash(npm run prettier:*) Bash(npm run eslint:*)"
+            --allowed-tools "Bash(npm run build) Bash(npm run prettier) Bash(npm run prettier:fix) Bash(npm run eslint) Bash(npm run eslint:fix)"
diff --git a/.github/workflows/upstream-release-docs.yml b/.github/workflows/upstream-release-docs.yml
index 535345fb..a72b715e 100644
--- a/.github/workflows/upstream-release-docs.yml
+++ b/.github/workflows/upstream-release-docs.yml
@@ -558,7 +558,7 @@ jobs:
           claude_args: |
             --model claude-opus-4-7
             --max-turns 1000
-            --allowed-tools "Bash(gh:*) Bash(npm run build:*) Bash(npm run prettier:*) Bash(npm run eslint:*)"
+            --allowed-tools "Bash(gh:*) Bash(npm run build) Bash(npm run prettier) Bash(npm run prettier:fix) Bash(npm run eslint) Bash(npm run eslint:fix)"
           prompt: |
             You are running in GitHub Actions with no interactive user. Follow
             these steps exactly and do NOT ask clarifying questions -- proceed
@@ -752,7 +752,7 @@ jobs:
           claude_args: |
             --model claude-opus-4-7
             --max-turns 200
-            --allowed-tools "Bash(gh:*) Bash(npm run build:*) Bash(npm run prettier:*) Bash(npm run eslint:*)"
+            --allowed-tools "Bash(gh:*) Bash(npm run build) Bash(npm run prettier) Bash(npm run prettier:fix) Bash(npm run eslint) Bash(npm run eslint:fix)"
           prompt: |
             You are running in GitHub Actions with no interactive user. Follow
             these steps exactly and do NOT ask clarifying questions -- proceed