The GitHub Actions job "prek" on airflow-steward.git/feat-settings-allow-read-only-mcp has succeeded. Run started by GitHub user potiuk (triggered by potiuk).
Head commit for run: 69a630d128a2aaeadc5646fc8a8dfba747e70159 / Jarek Potiuk <[email protected]> chore(settings): allowlist read-only Gmail / Ponymail MCP + zizmor Add eight read-only patterns to `.claude/settings.json` `permissions.allow` (and mirror in `tools/sandbox-lint/expected.json` to keep the baseline in lockstep) so the most common prompts during security-mailbox sweeps and CI lint passes go away. == Added == - `mcp__claude_ai_Gmail__get_thread` — read Gmail thread by ID - `mcp__claude_ai_Gmail__search_threads` — search Gmail by query - `mcp__ponymail__search_list` — search public ASF mailing-list archive - `mcp__ponymail__auth_status` — ponymail auth probe - `mcp__ponymail__get_thread` — read ponymail thread - `mcp__ponymail__get_email` — read individual ponymail message - `mcp__ponymail__list_restrictions` — read access restriction list - `Bash(zizmor *)` — GitHub Actions security linter (read-only scan) == Frequency basis == Picked from a 50-transcript scan (4786 Bash calls, 353 MCP calls): 107 mcp__claude_ai_Gmail__get_thread 48 mcp__claude_ai_Gmail__search_threads 47 mcp__ponymail__search_list 15 mcp__ponymail__auth_status 8 mcp__ponymail__get_thread 4 mcp__ponymail__get_email 3 mcp__ponymail__list_restrictions 4 Bash(zizmor *) == Deliberately NOT added == - `Bash(prek run *)` — runs hooks that include formatters (ruff format, doctoc) that mutate files. - `Bash(breeze run *)` / `Bash(breeze release-management *)` — Airflow CI/build tooling, mutates. - `Bash(for *)` / `Bash(until *)` family — shell loops are arbitrary-code-execution wildcards; never safe to allowlist. - `Bash(mkdir *)` / `Bash(chmod *)` / `Bash(ln *)` — filesystem writes. - `Bash(awk *)` / `Bash(open *)` / `Bash(magick *)` — pattern doesn't distinguish reads from writes. - All git / gh / cat / ls / grep / rg / find / etc. — already auto-allowed by Claude Code with no rule needed. == Verification == sandbox-lint pytest passes (50/50) — the baseline and live `.claude/settings.json` agree. Generated-by: Claude Code (Opus 4.7) Report URL: https://github.com/apache/airflow-steward/actions/runs/26600240537 With regards, GitHub Actions via GitBox --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
