github: prevent Claude from making commits during PR review

The workflow already uses contents: read which prevents GitHub from accepting any push. The --disallowedTools setting adds a second layer by stopping Claude from even attempting git write operations. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Link: https://github.com/openwrt/openwrt/pull/22897 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2026-04-11 18:06:40 +02:00 · 2026-04-11 18:06:40 +02:00 · 05e111aa42
commit 05e111aa42
parent 4517acedb5
1 changed files with 1 additions and 0 deletions
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@ -33,3 +33,4 @@ jobs:
          trigger_phrase: "/claude"
          claude_args: >-
            --allowedTools "mcp__github_inline_comment__create_inline_comment"
+            --disallowedTools "Bash(git add:*),Bash(git commit:*),Bash(git rm:*),Bash(git push:*)"