Considering web access capabilities for Claude in GitHub Actions

[danielorbach]

The Claude Code GitHub Action currently disables WebSearch and WebFetch tools by default for security reasons. This is an intentional design decision in the claude-code-action where these capabilities are explicitly blocked in "tag mode" (when triggered via @claude mentions).

When attempting to ask Claude for web-based research (see issue #8 comment), Claude cannot fulfill the request because the tools are unavailable. The workflow summary shows:

"Claude requested permissions to use WebSearch, but you haven't granted it yet."
"Claude requested permissions to use WebFetch, but you haven't granted it yet."

Enabling these tools would allow Claude to:

• Search the web for documentation, best practices, and solutions
• Fetch content from URLs to analyze documentation or specifications
• Provide more informed responses to research-oriented requests

Security considerations:

• WebSearch queries are sent to external search providers
• WebFetch can retrieve content from arbitrary URLs
• Both tools could potentially leak context about the repository or queries
• The action maintainers disabled these by default citing "security"

To enable, the workflow would need:

claude_args: '--allowedTools "Bash(go:*),WebSearch,WebFetch"'

This issue exists to discuss whether enabling web access aligns with this repository's security posture before making any changes.

[claude]

Claude finished @danielorbach's task —— View job

---

Analysis: Web Access Capabilities for Claude

I've analyzed the security implications of enabling WebSearch and WebFetch tools for this repository. Here's my assessment:

Tasks

• Check for repository guidelines (CLAUDE.md)
• Review current GitHub Actions workflow configuration
• Analyze security tradeoffs
• Provide recommendations

---

Current Configuration

The workflow (.github/workflows/claude.yml:59) currently allows:

claude_args: '--allowedTools "Bash(go:*)"'

This restricts Claude to only Git, GitHub CLI, and Go tooling commands.

---

Security Analysis

What These Tools Do

WebSearch:

• Sends search queries to external search providers
• Returns summaries and URLs from search results
• Does NOT automatically fetch content from results

WebFetch:

• Retrieves content from specified URLs
• Converts HTML to markdown for analysis
• Can access any publicly available URL

Risk Assessment for This Repository

LOW RISK - This is a public open-source library with the following characteristics:

✅ Mitigating factors:

• All code is publicly visible on GitHub
• No secrets, credentials, or proprietary information in the repository
• Focus is on Go component architecture patterns
• Repository already has public CI/CD workflows
• Documentation and code are intended for public consumption

⚠️ Potential concerns (minimal):

• Query patterns could theoretically reveal implementation intentions
• WebFetch could be directed to malicious URLs (but Claude has safety guardrails)
• Small risk of Claude citing outdated or incorrect information from web sources

Comparison to Current Permissions

Claude already has access to:

• Bash(go:*) - Can execute arbitrary Go commands (test, build, run, etc.)
• Git/GitHub - Can read all repository content and push commits
• Repository writes - Can modify any file and push changes

The web tools are significantly less powerful than the existing permissions. If you trust Claude with code execution and repository writes, web access adds minimal additional risk.

---

Recommendation

✅ ENABLE WebSearch and WebFetch for this repository.

Rationale:

1. Public repository - No sensitive data to leak
2. Limited additional risk - Web tools are less powerful than existing permissions
3. Significant value - Enables Claude to:
   • Research Go best practices and patterns
   • Find documentation for dependencies
   • Look up error messages and solutions
   • Access API documentation and specifications
4. Aligns with use case - The referenced issue #8 shows clear value in web research capabilities

Suggested configuration:

claude_args: '--allowedTools "Bash(go:*),WebSearch,WebFetch"'

---

Alternative: Conservative Approach

If you want to be more cautious, you could:

1. Enable only WebSearch first - Less risky than WebFetch

   claude_args: '--allowedTools "Bash(go:*),WebSearch"'

2. Test on a few issues - See how Claude uses the tools in practice

3. Enable WebFetch later - If WebSearch proves valuable and safe

---

Implementation

If you'd like me to update the workflow file with these changes, let me know which approach you prefer:

• Full access (WebSearch + WebFetch)
• Conservative (WebSearch only)
• No changes (keep current configuration)

Note: I cannot modify workflow files in .github/workflows/ due to GitHub App permissions, but I can provide the exact changes needed for you to apply manually.

---

[danielorbach]

The repo seems OK for now:

• Code scanning: 0 alerts
• Secret scanning: 0 alerts
• Dependency vulnerability: 0 alerts

[danielorbach]

With the new permissions, Claude should now have no problem accessing the web.

As proof, @claude use WebSearch and WebFetch tools to reply a recipe of an omelette. Make sure you use both these tools. To make sure that the previous behaviour is respected (i.e. Bash(go:*)) also run a go help command.

[claude]

Claude finished @danielorbach's task in 1m 24s —— View job

---

Testing Web Access Capabilities ✅

Successfully tested all three tool permissions: WebSearch, WebFetch, and Bash(go:*).

Tasks

• Use WebSearch to find omelette recipes
• Use WebFetch to retrieve recipe content
• Run go help command to verify Bash(go:*) access
• Report results

---

Test Results

✅ WebSearch Tool

Successfully searched for "classic omelette recipe" and found 10 recipe sources including:

• A Couple Cooks
• Tasty
• Le Cordon Bleu
• RecipeTin Eats
• Natasha's Kitchen
• Once Upon a Chef

Key findings from search:

• Classic omelettes require just 4 main ingredients: butter, eggs, cheese, and salt & pepper
• Use an 8-inch nonstick skillet for best results
• French omelettes are pale yellow with a soft center, while American omelettes are golden brown
• Cooking time is very short (30 seconds to a few minutes)

Sources:

• Classic Omelette – A Couple Cooks
• Classic Omelette Recipe by Tasty
• Classic Omelette Recipe | Le Cordon Bleu
• Omelette - RecipeTin Eats
• Perfect Omelette (with Video)

---

✅ WebFetch Tool

Successfully fetched and extracted a complete recipe from RecipeTin Eats:

Classic Omelette with Mushroom Filling

Ingredients:

• 1 tbsp / 15g butter
• 3 eggs
• 2 tbsp cream (or 1½ tbsp milk)
• Salt and pepper
• ⅓ cup grated cheese (cheddar or any melting cheese)

Mushroom Filling:

• 1 tbsp / 15g butter or olive oil
• 150g / 5 oz mushrooms, sliced (about 1½ cups)
• 1 small garlic clove, minced
• Fresh thyme leaves and parsley (optional)

Instructions:

1. Mushroom Filling: Melt butter in a skillet over high heat. Add mushrooms and cook until golden on edges (about 1½ minutes). Add garlic, salt, and pepper; cook until golden (about 1½ minutes). Remove and set aside.

2. Omelette:

   • Whisk eggs, cream, salt, and pepper together
   • Cool the skillet and lower heat to medium
   • Add butter, and when foaming, pour in egg mixture
   • Stir briefly, then spread to cover the pan base once it begins setting
   • Wait 20-30 seconds, then lift edges with a spatula and tilt the pan to let uncooked egg flow underneath (repeat 2-3 times)
   • Sprinkle half with cheese, top with mushrooms, add herbs, and remaining cheese
   • Cover and cook 30 seconds until the underside is light golden
   • Fold in half and transfer to plate immediately

Total time: 15 minutes (5 min prep, 10 min cooking)

---

✅ Bash(go:*) Tool

Successfully executed go help command. Output shows Go version management tool is working correctly with access to all standard Go commands including:

• go build - compile packages and dependencies
• go test - test packages
• go run - compile and run Go program
• go mod - module maintenance
• go fmt - format package sources
• And all other standard Go tooling commands

---

Conclusion

All three permission categories are working as expected:

• WebSearch ✅ Can search the web for information
• WebFetch ✅ Can retrieve and parse content from URLs
• Bash(go:*) ✅ Can execute Go tooling commands

The web access capabilities are now fully functional and will enable more informed responses for research-oriented requests, documentation lookups, and finding best practices for Go development.

---