Add checks/statuses read permissions to Claude workflow

[justin808]

Applies the workflow update from shakacode/react_on_rails#2487:

• add checks: read and statuses: read to job permissions
• pass github_token: ${{ github.token }} to anthropics/claude-code-action
• add checks: read and statuses: read to additional_permissions

Admin merge requested to keep rollout fast across repos.

---

Note

Low Risk
Low risk: limited to GitHub Actions permission/config changes for the Claude workflow, with no production code impact. The main consideration is the slightly expanded read-only token surface area for CI metadata.

Overview
Updates the Claude Code GitHub Actions workflow to let the anthropics/claude-code-action read more CI metadata by granting checks: read and statuses: read at the job level.

Also passes github_token: ${{ github.token }} into the action and mirrors the same checks/statuses read scopes in additional_permissions so Claude can fetch check run and status context on PRs.

^{Written by Cursor Bugbot for commit 6118797. Configure here.}

[coderabbitai]

Warning

Rate limit exceeded

@justin808 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 28 minutes and 44 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 178d37b and 6118797.

📒 Files selected for processing (1)

• .github/workflows/claude.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch codex/apply-claude-yml-permissions-20260301

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

PR Review: Add checks/statuses read permissions to Claude workflow

This is a clean, minimal, and low-risk change. Here's the analysis:

What the PR does

• Adds checks: read and statuses: read to the job-level permissions block
• Passes github_token: ${{ github.token }} explicitly to anthropics/claude-code-action
• Mirrors the same checks/statuses read scopes in additional_permissions

Code Quality & Best Practices ✅

The change follows GitHub Actions best practices well:

• Least-privilege permissions: all granted permissions are read-only — no write permissions are added
• Explicit token passing: using ${{ github.token }} (the short-form alias for secrets.GITHUB_TOKEN) is idiomatic and correct
• Consistency: additional_permissions now mirrors the job-level permissions block, which makes intent clear and avoids confusion if the action uses those scopes independently

Security ✅

No security concerns. All new permissions are read-only scopes on CI metadata:

• checks: read — allows reading check run results (e.g., test pass/fail)
• statuses: read — allows reading commit statuses

These are appropriate for a workflow whose job is to let Claude understand CI context on PRs. The job already had actions: read for the same reason, so these are natural extensions.

Potential Issue: Duplicate actions: read in additional_permissions

Minor observation: actions: read appears in both the job-level permissions block (line 26) and again in additional_permissions (line 44). This duplication is harmless but slightly inconsistent — the new checks: read and statuses: read are added to both locations, while actions: read only appears in additional_permissions and not alongside the others. Not a blocker, just worth noting for clarity.

Overall

LGTM. The change is straightforward, well-scoped, and carries no meaningful risk. The PR description accurately describes the intent.