Kashyap Murali 8dfb31d8a5

Add setting_sources input and default base-action to user-only ...

Project and local settings additively merge their permissions with whatever
allowed_tools a workflow specifies. A workflow author writing a restrictive
allowlist reasonably expects it to be the complete allow-set, but
.claude/settings.json can silently expand it.

Changes:
- Add setting_sources as a first-class input to both actions (previously
  only reachable via --setting-sources in claude_args)
- base-action now defaults to settingSources: ['user'] — workflows that want
  project/local settings must opt in explicitly
- Main action defaults to 'user,project,local' since .claude/ is restored
  from the PR base branch before execution, so project settings are
  maintainer-trusted in that context
- Precedence: setting_sources input > --setting-sources in claude_args > default

Breaking change for base-action: workflows relying on .claude/settings.json
being loaded automatically need to add setting_sources: 'user,project,local'.


🏠 Remote-Dev: homespace

2026-04-23 17:05:38 +00:00

..

mcp-test

fix: resolve high vulnerability CVE-2025-66414 (#792)

2026-01-07 12:53:45 +05:30

install-plugins.test.ts

feat: support local plugin marketplace paths (#761)

2026-01-05 16:13:32 +05:30

parse-sdk-options.test.ts

Add setting_sources input and default base-action to user-only

2026-04-23 17:05:38 +00:00

parse-shell-args.test.ts

feat: implement Claude Code GitHub Action v1.0 with auto-detection and slash commands (#421)

2025-08-25 12:51:37 -07:00

prepare-prompt.test.ts

feat: integrate claude-code-base-action as local subaction (#285)

2025-07-18 13:52:56 -07:00

setup-claude-code-settings.test.ts

feat: implement Claude Code GitHub Action v1.0 with auto-detection and slash commands (#421)

2025-08-25 12:51:37 -07:00

validate-env.test.ts

feat: add Microsoft Foundry provider support (#684)

2025-11-20 13:50:13 -08:00