Skip to content

chore: add gh pr list and gh run list permissions#380

Merged
davidpoblador merged 1 commit into
mainfrom
chore/add-gh-permissions
Nov 6, 2025
Merged

chore: add gh pr list and gh run list permissions#380
davidpoblador merged 1 commit into
mainfrom
chore/add-gh-permissions

Conversation

@davidpoblador

@davidpoblador davidpoblador commented Nov 6, 2025

Copy link
Copy Markdown
Member

Summary

Added missing GitHub CLI permissions to .claude/settings.json:

  • Bash(gh pr list:*)
  • Bash(gh run list:*)

These commands were previously requiring sandbox override to function.

Test plan

  • Configuration is valid JSON
  • Permissions follow the existing pattern
  • After merge, these gh commands will work without dangerouslyDisableSandbox

Context

During this session, I had to use dangerouslyDisableSandbox: true for gh pr list and gh run list commands. This PR adds them to the allowed permissions so they work in sandboxed mode going forward.

🤖 Generated with Claude Code

@claude

claude Bot commented Nov 6, 2025
edited
Loading

Copy link
Copy Markdown

Claude finished @davidpoblador's task —— View job

PR Review: Adding GitHub CLI Permissions

Todo List

  • Read and analyze the modified settings.json file
  • Review JSON configuration validity and formatting
  • Check permission patterns consistency
  • Assess security implications
  • Evaluate the changes against best practices
  • Provide comprehensive review feedback

Review Feedback

Code Quality & Best Practices

  • JSON Validity: Configuration is syntactically correct and well-formatted
  • Consistency: The new permissions follow the exact same pattern as existing GitHub CLI permissions
  • Alphabetical Ordering: Permissions are properly sorted within the gh command group (lines 25-30)
  • Documentation: PR description clearly explains the motivation and testing performed

Technical Correctness

  • Permission Syntax: Both Bash(gh pr list:*) and Bash(gh run list:*) use the correct wildcard pattern
  • Logical Grouping: Permissions are placed in the appropriate location alongside other gh commands
  • File Structure: No changes to other configuration sections, maintaining separation of concerns

Security Considerations

  • Read-Only Operations: Both gh pr list and gh run list are read-only commands that don't modify repository state
  • Wildcard Scope: The * wildcard is appropriately scoped to these specific commands
  • Principle of Least Privilege: Adding only the minimum necessary permissions to solve the sandbox issue
  • No Sensitive Data Exposure: These commands only list metadata, not sensitive repository content

Performance & Functionality

  • Problem Resolution: Directly addresses the need to disable sandbox mode for these commands
  • No Performance Impact: Adding permissions has no runtime performance implications
  • Backward Compatible: Changes don't affect existing functionality

⚠️ Minor Considerations

  • Test Coverage: While manual testing was performed, consider adding these commands to any automated permission validation if such tests exist
  • Documentation: Consider updating any developer documentation that references the available GitHub CLI commands

🔍 Code Context Analysis

Looking at the existing permissions structure (copier-template/.claude/settings.json:18-105), this change:

  • Maintains the established pattern of GitHub CLI permissions (lines 25-30)
  • Follows the same security model as gh pr view and gh run view
  • Preserves the logical grouping of related commands

Summary

This is a well-executed, low-risk change that follows established patterns and security practices. The addition of these read-only GitHub CLI permissions is appropriate and necessary for improved developer experience without compromising security.

Recommendation: ✅ Approve and merge

@davidpoblador @claude
chore: add gh pr list and gh run list permissions
dcc7143 
Added missing GitHub CLI permissions to allow checking PR
and workflow run status without requiring sandbox override.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@davidpoblador davidpoblador force-pushed the chore/add-gh-permissions branch from b3176b1 to dcc7143 Compare November 6, 2025 10:38
@claude

claude Bot commented Nov 6, 2025
edited
Loading

Copy link
Copy Markdown

Claude finished @davidpoblador's task —— View job

PR Review: Adding GitHub CLI Permissions

Todo List

  • Read and analyze the modified settings.json file
  • Review JSON configuration validity and formatting
  • Check permission patterns consistency
  • Assess security implications
  • Evaluate the changes against best practices
  • Provide comprehensive review feedback

Review Feedback

Code Quality & Best Practices

  • JSON Validity: Configuration is syntactically correct and well-formatted
  • Consistency: The new permissions follow the exact same pattern as existing GitHub CLI permissions
  • Alphabetical Ordering: Permissions are properly sorted within the gh command group (lines 25-30)
  • Documentation: PR description clearly explains the motivation and testing performed

Technical Correctness

  • Permission Syntax: Both Bash(gh pr list:*) and Bash(gh run list:*) use the correct wildcard pattern
  • Logical Grouping: Permissions are placed in the appropriate location alongside other gh commands
  • File Structure: No changes to other configuration sections, maintaining separation of concerns

Security Considerations

  • Read-Only Operations: Both gh pr list and gh run list are read-only commands that don't modify repository state
  • Wildcard Scope: The * wildcard is appropriately scoped to these specific commands
  • Principle of Least Privilege: Adding only the minimum necessary permissions to solve the sandbox issue
  • No Sensitive Data Exposure: These commands only list metadata, not sensitive repository content

Performance & Functionality

  • Problem Resolution: Directly addresses the need to disable sandbox mode for these commands
  • No Performance Impact: Adding permissions has no runtime performance implications
  • Backward Compatible: Changes don't affect existing functionality

⚠️ Minor Considerations

  • Test Coverage: While manual testing was performed, consider adding these commands to any automated permission validation if such tests exist
  • Documentation: Consider updating any developer documentation that references the available GitHub CLI commands

🔍 Code Context Analysis

Looking at the existing permissions structure (copier-template/.claude/settings.json:18-105), this change:

  • Maintains the established pattern of GitHub CLI permissions (lines 25-30)
  • Follows the same security model as gh pr view and gh run view
  • Preserves the logical grouping of related commands

Summary

This is a well-executed, low-risk change that follows established patterns and security practices. The addition of these read-only GitHub CLI permissions is appropriate and necessary for improved developer experience without compromising security.

Recommendation: ✅ Approve and merge

@davidpoblador davidpoblador merged commit 6fb0642 into main Nov 6, 2025
2 checks passed
@davidpoblador davidpoblador deleted the chore/add-gh-permissions branch November 6, 2025 10:39
@github-actions github-actions Bot mentioned this pull request Nov 6, 2025
Merged
davidpoblador pushed a commit that referenced this pull request Nov 6, 2025
@github-actions
chore(main): release 2.13.5 (#376)
d7d425a 
🤖 I have created a release *beep* *boop*
---


##
[2.13.5](v2.13.4...v2.13.5)
(2025-11-06)


### Bug Fixes

* convert relative links to absolute URLs in changelog docs
([#373](#373))
([a3ab5cb](a3ab5cb))
* include chore commits in changelog
([#379](#379))
([44ffea3](44ffea3))
* include refactor and perf commits in changelog
([#378](#378))
([f98e9df](f98e9df))


### Code Refactoring

* remove template backwards compatibility symlink
([#377](#377))
([3ba7e11](3ba7e11))


### Miscellaneous Chores

* add gh pr list and gh run list permissions
([#380](#380))
([6fb0642](6fb0642))
* add permissions for uvx uv-bump and gh pr create
([#375](#375))
([27e392a](27e392a))
* **deps:** update JavaScript and Python dependencies
([#374](#374))
([0370036](0370036))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@davidpoblador