Add checks/statuses read permissions to Claude workflow

[justin808]

Applies the workflow update from shakacode/react_on_rails#2487:

• add checks: read and statuses: read to job permissions
• pass github_token: ${{ github.token }} to anthropics/claude-code-action
• add checks: read and statuses: read to additional_permissions

Admin merge requested to keep rollout fast across repos.

---

Note

Low Risk
Low risk workflow-only change that expands the GitHub Actions token permissions to read checks/statuses and passes github_token into the Claude action; potential impact is limited to CI access scope.

Overview
Updates the Claude Code GitHub Actions workflow to let the Claude action read CI results.

The job now includes checks: read and statuses: read permissions (and mirrors them in additional_permissions), and explicitly passes github_token: ${{ github.token }} to anthropics/claude-code-action@v1.

^{Written by Cursor Bugbot for commit f4c4962. Configure here.}

[coderabbitai]

Warning

Rate limit exceeded

@justin808 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 29 minutes and 37 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between e3ea017 and f4c4962.

📒 Files selected for processing (1)

• .github/workflows/claude.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch codex/apply-claude-yml-permissions-20260301

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Review: Add checks/statuses read permissions to Claude workflow

Overall: Clean, minimal, well-scoped change.

The additions are correct and appropriate. A few observations:

What is good

• Adding checks: read + statuses: read is the right minimal scope to cover both the modern Checks API (used by most CI integrations) and the legacy Commit Statuses API — covering both ensures full CI result visibility.
• Making github_token explicit is good practice; it makes the dependency visible rather than implicit.
• Mirroring the new permissions in additional_permissions is consistent with how the existing actions: read is handled.

Minor observation

The pre-existing actions: read line has an inline comment explaining why it is needed (# Required for Claude to read CI results on PRs), but the two new permission lines are added without similar comments. For consistency and future maintainability, it would be helpful to annotate them similarly:

checks: read    # Required for Claude to read CI check results
statuses: read  # Required for Claude to read legacy commit statuses

Pre-existing note (out of scope for this PR)

The job-level permissions use pull-requests: read and issues: read, but the workflow triggers on comment events where Claude presumably needs write access to post responses. This appears to be handled by the action obtaining elevated permissions via the id-token: write OIDC grant, but the gap between declared job permissions and actual required permissions could be confusing to future maintainers. Worth a follow-up comment in the workflow file if not already documented elsewhere.

[claude]

Consider adding inline comments for consistency with the existing actions: read annotation above:

Suggested change

	checks: read
	statuses: read
	checks: read # Required for Claude to read CI check results
	statuses: read # Required for Claude to read legacy commit statuses

[greptile-apps]

Greptile Summary

This PR expands GitHub Actions token permissions to allow the Claude Code action to read CI check results and statuses on pull requests.

Changes made:

• Added checks: read and statuses: read to job-level permissions
• Added github_token: ${{ github.token }} parameter to pass the token explicitly to the action
• Mirrored the new permissions in additional_permissions configuration

The changes are minimal, consistent, and follow standard GitHub Actions patterns. All added permissions are read-only, presenting no security risk.

Confidence Score: 5/5

• This PR is safe to merge with no risk
• The changes only add read-only permissions to a GitHub Actions workflow and follow standard patterns; there are no logic changes, security concerns, or breaking changes
• No files require special attention

Important Files Changed

Filename	Overview
.github/workflows/claude.yml	Adds read-only permissions for checks and statuses to enable CI result reading, and passes github_token to Claude action

_{Last reviewed commit: f4c4962}