Describe the bug
When using claude_args with --allowedTools that includes WebSearch and WebFetch, these tools are still disabled by default through the DISALLOWED_TOOLS environment variable.

The --allowedTools parameter in claude_args is not reflected in the mode's allowed tools list during prompt creation, causing the default disabling behavior to take precedence. This prevents Claude from using web search and fetch capabilities even when explicitly allowed.

To Reproduce
Steps to reproduce the behavior:

1. Create a GitHub Actions workflow with claude_args containing --allowedTools that includes WebFetch and WebSearch
2. Trigger the action with a comment containing @claude and request it to search the web or fetch a URL
3. Check the execution logs
4. See error: Tools are rejected because DISALLOWED_TOOLS: WebSearch,WebFetch is set

Expected behavior
Since WebFetch and WebSearch are explicitly included in --allowedTools, they should be available for Claude to use during execution. The --allowedTools parameter should override the default disabling behavior for these tools.

Screenshots

Workflow yml file

      - name: ***
        uses: anthropics/claude-code-action@v1
        with:
          use_bedrock: "true"
          track_progress: true
          github_token: ${{ steps.app-token.outputs.token }}
          claude_args: |
            --model sonnet
            --mcp-config .mcp.json
            --allowedTools Task,Edit,Read,WebFetch,WebSearch,Glob,Grep,SlashCommand,mcp__github_comment__update_claude_comment,mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)
            --disallowedTools ""

API Provider

[ ] Anthropic First-Party API (default)
[x] AWS Bedrock
[ ] GCP Vertex

Additional context

Root Cause Analysis

The issue occurs in src/create-prompt/index.ts in the createPrompt function:

1. Mode's getAllowedTools() returns empty array:
   Both Tag mode (src/modes/tag/index.ts) and Agent mode (src/modes/agent/index.ts) implement getAllowedTools() to return an empty array:

   getAllowedTools() {
     return [];
   }

2. buildDisallowedToolsString applies default disabling:
   In src/create-prompt/index.ts, the buildDisallowedToolsString function:

   export function buildDisallowedToolsString(
     customDisallowedTools?: string[],
     allowedTools?: string[],
   ): string {
     // Tag mode: Disable WebSearch and WebFetch by default for security
     let disallowedTools = ["WebSearch", "WebFetch"];
   
     // If user has explicitly allowed some default disallowed tools, remove them
     if (allowedTools && allowedTools.length > 0) {
       disallowedTools = disallowedTools.filter(
         (tool) => !allowedTools.includes(tool),
       );
     }
     // ...
   }

3. createPrompt uses mode.getAllowedTools():

   const modeAllowedTools = mode.getAllowedTools();  // Returns []
   const modeDisallowedTools = mode.getDisallowedTools();
   
   const allDisallowedTools = buildDisallowedToolsString(
     modeDisallowedTools,
     modeAllowedTools,  // Empty array, so WebSearch/WebFetch remain disabled
   );
   
   core.exportVariable("DISALLOWED_TOOLS", allDisallowedTools);  // Sets "WebSearch,WebFetch"

4. parseAllowedTools is not connected to mode.getAllowedTools():
   While Agent mode has parseAllowedTools() function in src/modes/agent/parse-tools.ts that can parse --allowedTools from claude_args, this parsed value is:

   • Used only in prepareMcpConfig()
   • Not returned by mode.getAllowedTools()
   • Not available during the buildDisallowedToolsString() call