mirror of
https://github.com/louis-e/arnis.git
synced 2026-06-16 09:58:52 -04:00
4772d2a27e
The action denied all gh/Bash calls in CI (no allowlist), so the bot never commented. Lock tools to two wrapper scripts via --allowedTools: a read-only gh wrapper (issue view/list, search issues) and a fixed-format comment poster that reads the target issue from the event payload. This both unblocks the bot and contains prompt-injection — a hijacked prompt can't run arbitrary commands, exfiltrate the token, or post arbitrary text. Also passes GH_TOKEN so the scripts' gh calls are authenticated. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>