Skip to content

Add checks/statuses read permissions to Claude workflow #2487

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
justin808 merged 1 commit into from
Mar 2, 2026
Merged

Add checks/statuses read permissions to Claude workflow #2487

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 5 additions & 9 deletions .github/workflows/claude.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ jobs:
issues: read
id-token: write
actions: read # Required for Claude to read CI results on PRs
checks: read
statuses: read
Comment on lines +27 to +28
Copy link
Contributor

@coderabbitai coderabbitai bot Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

git ls-files | grep -E "(\.github/workflows|PR|pull)" | head -20

Repository: shakacode/react_on_rails

Length of output: 819

🏁 Script executed:

cat -n .github/workflows/claude.yml

Repository: shakacode/react_on_rails

Length of output: 1852

🏁 Script executed:

# Check git history for this file to see recent changes and commit messages
git log --oneline -20 -- .github/workflows/claude.yml

Repository: shakacode/react_on_rails

Length of output: 136

🏁 Script executed:

# Look for PR description or related discussion files
find . -type f -name "*.md" -path "*.*" | xargs grep -l "claude\|workflow\|approval" 2>/dev/null | head -10

Repository: shakacode/react_on_rails

Length of output: 519

Prior maintainer approval required for CI workflow changes.

This repo requires "ask first" before changing files under .github/workflows/. Please provide evidence of prior approval in the PR description or discussion thread (link or quote from maintainer).

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude.yml around lines 27 - 28, This PR modifies workflow
permissions (the keys "checks: read" and "statuses: read"); before merging, add
explicit evidence of prior maintainer approval to the PR description or linked
discussion (a link or a quoted message from the maintainer), mention that the
approval covers the updated "checks: read" and "statuses: read" permissions, and
note in the PR body that you received that approval and are awaiting
CI/maintainer confirmation before merge.

steps:
- name: Checkout repository
uses: actions/checkout@v4
Expand All @@ -34,17 +36,11 @@ jobs:
id: claude
uses: anthropics/claude-code-action@v1
with:
github_token: ${{ github.token }}
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

# This is an optional setting that allows Claude to read CI results on PRs
additional_permissions: |
actions: read

# Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.
# prompt: 'Update the pull request description to include a summary of changes.'

# Optional: Add claude_args to customize behavior and configuration
# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
# or https://code.claude.com/docs/en/cli-reference for available options
# claude_args: '--allowed-tools Bash(gh pr:*)'

checks: read
statuses: read
Comment on lines 43 to +46
Copy link

@claude claude bot Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These three permissions (actions: read, checks: read, statuses: read) are already declared at the job level in the permissions block above. Declaring them again in additional_permissions is the existing pattern, but a brief comment explaining why both are needed would help future maintainers understand the intent (e.g., job-level grants the token access; additional_permissions tells the action which scopes to use when making GitHub API calls).

Loading