fix: parse ALL --allowed-tools flags, not just the first one

[AlexanderBartash]

Summary

Fixes #800

The parseAllowedTools() function previously used .match() which only returns the first match. This caused tools specified in subsequent --allowed-tools flags to be ignored during MCP server initialization.

Changes

• Add /g flag to regex patterns for global matching
• Use matchAll() to find all occurrences
• Deduplicate tools while preserving order
• Make unquoted pattern not match quoted values (to avoid capturing quotes from quoted patterns)

Root Cause

When users specify multiple --allowed-tools flags:

claude_args: |
  --allowed-tools 'mcp__context7__*'
  --allowed-tools 'Read,Glob,Grep'
  --allowed-tools 'mcp__github_inline_comment__create_inline_comment'

Only tools from the first flag were parsed. This broke MCP server initialization when mcp__github_* tools weren't in the first flag.

Test plan

• All existing tests pass
• Added new tests for multiple --allowed-tools flags
• Added test for deduplication across flags
• Added test for multiline flag parsing

[sachinmahale]

@AlexanderBartash after this v1.0.30 our workflow is now failing.

here is the workflow:

      - name: 🤖 Run Claude Code Review (via Bedrock)
        uses: anthropics/claude-code-action@v1
        with:
          # Use the default token for GitHub interaction (comments, file reading)
          github_token: ${{ secrets.GITHUB_TOKEN }}

          # Flag to enable AWS Bedrock integration
          use_bedrock: true

          # Enable progress tracking for visual feedback on the PR
          track_progress: true

          # The comprehensive instruction prompt for Claude
          prompt: |
            REPO: ${{ github.repository }}
            PR NUMBER: ${{ github.event.pull_request.number }}

            Perform a comprehensive code review with the following focus areas:

            1. **Code Quality**
               - Clean code principles and best practices
               - Proper error handling and edge cases
               - Code readability and maintainability

          claude_args: |
            # Defines the tools Claude is allowed to use for the review
            --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(cat:AGENTS.md),Bash(cat:@AGENTS_my_custom_rules.md)"
            # Set max-turns higher for large/complex PRs to avoid premature termination
            --max-turns 75

we are getting below error:

SDK execution error: 7835 |       throw error;
7836 |     }
7837 |   }
7838 |   getProcessExitError(code, signal) {
7839 |     if (code !== 0 && code !== null) {
7840 |       return new Error(`Claude Code process exited with code ${code}`);
                    ^
error: Claude Code process exited with code 1
      at getProcessExitError (/home/runner/work/_actions/anthropics/claude-code-action/v1/base-action/node_modules/@anthropic-ai/claude-agent-sdk/sdk.mjs:7840:14)
      at exitHandler (/home/runner/work/_actions/anthropics/claude-code-action/v1/base-action/node_modules/@anthropic-ai/claude-agent-sdk/sdk.mjs:7970:28)
      at emit (node:events:92:22)
      at #handleOnExit (node:child_process:511:14)

[AlexanderBartash]

@sachinmahale Comments are not allowed in the claude_args: | I have a separate fix for that #803 I think it never worked with comments, even before my changes because I also tried adding them and it failed, that is why the fix.

[sachinmahale]

@AlexanderBartash I tried removing complete claude_args: block, still its not working.

[AlexanderBartash]

@sachinmahale The changes in PR #801 only affect the parsing of --allowed-tools flags. When claude_args is empty, the behavior is identical to before (returns an empty array). So it cannot be the cause of the error. I recomment trying different action versions to see which one broke it.

[AlexanderBartash]

@sachinmahale E.g. use_bedrock: true I think requires id-token: write permission, also aws-actions/configure-aws-credentials and --model in claude_args.

[sachinmahale]

@AlexanderBartash our workflow was working fine till 16th Jan. but after the release v1.0.30 it started failing.
I changed the action from anthropics/claude-code-action@v1 to anthropics/claude-code-action@v1.0.28 and it started working again.
You can go through our workflow and let me know your change is causing the problem.
Also please be noted that in our all repos AGENTS.mg is present and its being respected through Bash(cat:AGENTS.md) in claude_args, like I said, I removed complete claude_args block but still workflow fails if I use v1.

[AlexanderBartash]

@sachinmahale Between 30 and 28 there is also 29 :) I cannot really help you because I do not see your workflow logs, nor your full workflow. I already provided feedback based on what you gave me.

[AlexanderBartash]

@sachinmahale Please read my messages properly. I am not sure that you can remove claude_args while using bedrock due to needing --model. I may be wrong.

[AlexanderBartash]

Also please be noted that in our all repos AGENTS.mg is present and its being respected through Bash(cat:AGENTS.md) in claude_args.

I am not sure what you mean here. I never said anything about it.

[sachinmahale]

@AlexanderBartash I'm sharing the workflow here. I can see the problem with use_bedrock: true. any changes in v1.0.30 against this property? I can see anthropic-ai/claude-agent-sdk this version has also been changed in this version:

---
name: 🤖 Claude AI Code Review (AWS Bedrock)

# -------------------------------------------------------------------------------------
# Triggers the workflow automatically on Pull Request activity.
# - opened: When a new PR is created.
# - synchronize: When new commits are pushed to the PR branch.
# - ready_for_review: When a PR is moved from draft to ready.
# - reopened: When a closed PR is reopened.
# -------------------------------------------------------------------------------------
on:
  pull_request:
    types: [opened, synchronize, ready_for_review, reopened]
  pull_request_review_comment:
    types: [created]

concurrency:
  group:
    ${{ github.repository }}-${{ github.event.number || github.head_ref || github.sha }}-${{ github.workflow }}-${{ github.event_name == 'pull_request_review_comment' && 'pr_comment' || 'pr' }}
  cancel-in-progress: ${{ github.event_name != 'pull_request_review_comment' }}

jobs:
  review_pr_with_claude:
    # Descriptive job name reflecting its task
    name: 🔎 Automated PR Review

    runs-on: ubuntu-latest

    # Define necessary permissions for the default GITHUB_TOKEN
    permissions:
      contents: read # Required for checking out code
      pull-requests: write # Required for posting review comments
      id-token: write # Required for AWS OIDC authentication
      actions: read # Required for Claude to read CI/CD status (fixes warning)

    env:
      AWS_REGION: us-east-1 # The AWS region where Bedrock is configured

    steps:
      - name: ⬇️ Checkout Pull Request Branch
        # Use v4 for better compatibility with other actions
        uses: actions/checkout@v4
        with:
          # Fetch only the latest commit to save time and resources
          fetch-depth: 1
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: 🔑 Configure AWS Credentials (OIDC Role Assumption)
        # Assumes the IAM Role defined in the AWS_ROLE_TO_ASSUME secret
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
          aws-region: ${{ env.AWS_REGION }}

      - name: 🤖 Run Claude Code Review (via Bedrock)
        uses: anthropics/claude-code-action@v1
        with:
          # Use the default token for GitHub interaction (comments, file reading)
          github_token: ${{ secrets.GITHUB_TOKEN }}

          # Flag to enable AWS Bedrock integration
          use_bedrock: true

          # Enable progress tracking for visual feedback on the PR
          track_progress: true

          # The comprehensive instruction prompt for Claude
          prompt: |
            REPO: ${{ github.repository }}
            PR NUMBER: ${{ github.event.pull_request.number }}

            Perform a comprehensive code review with the following focus areas:

            1. **Code Quality**
               - Clean code principles and best practices

          # Custom arguments passed directly to the Claude agent
          claude_args: |
            --max-turns 75
            --allowedTools "mcp__github_inline_comment__create_inline_comment"
            --allowedTools "Bash(gh pr comment:*)"
            --allowedTools "Bash(gh pr diff:*)"
            --allowedTools "Bash(gh pr view:*)"
            --allowedTools "Bash(cat:AGENTS.md)"
            --allowedTools "Bash(cat:@AGENTS_my_custom_rules.md)"
            --allowedTools "Read,LS,Bash"
            ```

[AlexanderBartash]

@sachinmahale Does it work if you specify --model https://github.com/anthropics/claude-code-action/blob/main/docs/cloud-providers.md ?

[sachinmahale]

@AlexanderBartash I tried but it doesn't work.
to create workflow, I had referred this document https://github.com/anthropics/claude-code-action/blob/main/examples/pr-review-comprehensive.yml. Now this doc is not working.

[AlexanderBartash]

@sachinmahale Have you tried .29? Knowing if it works or not would narrow it down a bit.