Skip to content

Add checks/statuses read permissions to Claude workflow#700

Merged
justin808 merged 1 commit intomasterfrom
codex/apply-claude-yml-permissions-20260301
Mar 2, 2026
Merged

Add checks/statuses read permissions to Claude workflow#700
justin808 merged 1 commit intomasterfrom
codex/apply-claude-yml-permissions-20260301

Conversation

@justin808
Copy link
Member

@justin808 justin808 commented Mar 2, 2026
edited by coderabbitai bot
Loading

Applies the workflow update from shakacode/react_on_rails#2487:

  • add checks: read and statuses: read to job permissions
  • pass github_token: ${{ github.token }} to anthropics/claude-code-action
  • add checks: read and statuses: read to additional_permissions

Admin merge requested to keep rollout fast across repos.

Note

Low Risk
Low risk workflow change that only expands the Claude GitHub Action to read CI check/status data; no production code paths are affected.

Overview
Updates the Claude Code GitHub Actions workflow to let anthropics/claude-code-action@v1 read CI results by adding checks: read and statuses: read to the job permissions and additional_permissions.

Also passes github_token: ${{ github.token }} into the action to enable those GitHub API calls.

Written by Cursor Bugbot for commit 3f6409b. Configure here.

Summary by CodeRabbit

  • Chores
    • Updated CI/CD workflow configuration to enhance integration capabilities with expanded access permissions for checking build and deployment status information.

@justin808 justin808 merged commit 0ec62b0 into master Mar 2, 2026
@justin808 justin808 deleted the codex/apply-claude-yml-permissions-20260301 branch March 2, 2026 00:42
@coderabbitai
Copy link

coderabbitai bot commented Mar 2, 2026
edited
Loading

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4aa348f and 3f6409b.

📒 Files selected for processing (1)
  • .github/workflows/claude.yml

Walkthrough

Expands Claude's access permissions in GitHub Actions by adding reads for checks and statuses. Introduces github_token input to the Claude Run step in the workflow configuration, enabling Claude to read CI results and workflow status information.

Changes

Cohort / File(s) Summary
GitHub Actions Workflow
.github/workflows/claude.yml		 Added checks: read and statuses: read permissions to top-level and additional_permissions blocks. Introduced github_token input parameter to Claude Run step for authenticated access to CI/check/status data.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

Poem

🐰 A token hops through workflows bright,
Checks and statuses in plain sight,
Claude now reads the CI's tale,
Permissions granted without fail!

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch codex/apply-claude-yml-permissions-20260301

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link

github-actions bot commented Mar 2, 2026
edited
Loading

✅ Review app for PR #700 was successfully deleted

View Completed Delete Logs

Control Plane Organization

@claude
Copy link

claude bot commented Mar 2, 2026

PR Review: Add checks/statuses read permissions to Claude workflow

Overall assessment: Clean, low-risk change. Looks good.

Summary of changes

  • Adds checks: read and statuses: read to the job-level permissions block
  • Explicitly passes github_token to the action
  • Mirrors those same permissions in the additional_permissions input to claude-code-action

Observations

Minor: Redundancy between job permissions and additional_permissions

actions: read, checks: read, and statuses: read now appear in both the job-level permissions block and in the additional_permissions input to the action. This is intentional (the action uses additional_permissions to know which GitHub API scopes it may exercise), but the duplication could be confusing to future maintainers. A short inline comment explaining why both locations are needed would help.

id-token: write (pre-existing) — Not introduced by this PR, but worth noting: this permission allows the job to mint OIDC tokens. It should only be present if the action actually uses OIDC for authentication. If unused, it is an unnecessarily broad permission. Worth verifying against the action docs.

Explicit github_token pass — Passing the token explicitly is the correct pattern when the action needs to make GitHub API calls using the job's scoped permissions.

Security

All added permissions are read-only (checks: read, statuses: read). No write permissions are introduced, and the token scope is correctly limited to the job level. No security concerns.

claude[bot]
claude bot reviewed Mar 2, 2026
View reviewed changes
.github/workflows/claude.yml
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

# This is an optional setting that allows Claude to read CI results on PRs
additional_permissions: |
Copy link

@claude claude bot Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The additional_permissions block now lists actions: read, checks: read, and statuses: read — all of which are already granted at the job level above. The duplication is intentional (the action uses this input to know which scopes it may call), but a brief comment here would prevent future readers from thinking the entries are accidental or redundant.

Suggested change
additional_permissions: |
# additional_permissions mirrors the job-level permissions so the action
# knows which GitHub API scopes it is allowed to use at runtime.
additional_permissions: |
actions: read
checks: read
statuses: read

@github-actions
Copy link

github-actions bot commented Mar 2, 2026

🚀 Quick Review App Commands

Welcome! Here are the commands you can use in this PR:

/deploy-review-app

Deploy your PR branch for testing

/delete-review-app

Remove the review app when done

/help

Show detailed instructions, environment setup, and configuration options.

@greptile-apps
Copy link

greptile-apps bot commented Mar 2, 2026

Greptile Summary

This PR expands the Claude Code workflow's permissions to read CI check and status data by adding checks: read and statuses: read to both job-level permissions and additional_permissions. It also passes github_token to enable authenticated API calls.

  • Added checks: read and statuses: read to job permissions (lines 27-28)
  • Added github_token: ${{ github.token }} parameter to the action (line 39)
  • Added checks: read and statuses: read to additional_permissions (lines 45-46)

All changes are read-only permissions that enable the Claude action to access CI results without affecting production code or granting write access.

Confidence Score: 5/5

  • This PR is safe to merge with no risk - only adds read-only workflow permissions
  • Perfect score given because the changes are limited to GitHub Actions workflow configuration, all added permissions are read-only (checks: read, statuses: read), the github_token is the standard GitHub Actions token with limited scope, and no production code is modified
  • No files require special attention

Important Files Changed

Filename Overview
.github/workflows/claude.yml Added read permissions for checks and statuses, plus github_token parameter to enable CI results reading - all changes are read-only and safe

Last reviewed commit: 3f6409b

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@justin808