Add checks/statuses read permissions to Claude workflow

[justin808]

Applies the workflow update from shakacode/react_on_rails#2487:

• add checks: read and statuses: read to job permissions
• pass github_token: ${{ github.token }} to anthropics/claude-code-action
• add checks: read and statuses: read to additional_permissions

Admin merge requested to keep rollout fast across repos.

---

Note

Low Risk
Low risk workflow-only change that broadens the GitHub token’s read permissions to include checks and statuses and passes the default github.token into the Claude action.

Overview
The Claude Code GitHub Actions workflow now passes github_token: ${{ github.token }} to anthropics/claude-code-action.

It also expands the job and additional_permissions to include checks: read and statuses: read, enabling Claude to read check runs/statuses when operating on PRs.

^{Written by Cursor Bugbot for commit ad33710. Configure here.}

[coderabbitai]

Warning

Rate limit exceeded

@justin808 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 27 minutes and 56 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between c57fddc and ad33710.

📒 Files selected for processing (1)

• .github/workflows/claude.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch codex/apply-claude-yml-permissions-20260301

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

Expands Claude workflow permissions to include read access for checks and statuses, enabling Claude to view CI check runs and commit statuses when working on PRs. The GitHub token is now explicitly passed to the action.

• Adds checks: read and statuses: read to job-level permissions
• Passes github_token: ${{ github.token }} to the Claude action
• Includes the new permissions in additional_permissions configuration
• Maintains consistency with existing actions: read permission pattern

Confidence Score: 5/5

• This PR is safe to merge with no risk
• Simple workflow configuration change that only adds read-only permissions with no security concerns. YAML syntax is valid, changes are consistent with existing patterns, and the permissions are appropriately scoped.
• No files require special attention

Important Files Changed

Filename	Overview
.github/workflows/claude.yml	Adds read-only permissions for checks and statuses, passes GitHub token to Claude action

_{Last reviewed commit: ad33710}

[claude]

PR Review: Add checks/statuses read permissions to Claude workflow

Overall: Clean, low-risk change. LGTM.

Summary of changes

• Adds checks: read and statuses: read to the job-level permissions block
• Passes github_token explicitly to anthropics/claude-code-action
• Mirrors the same two new permissions in the action's additional_permissions parameter

Security

All new permissions are read-only, continuing the least-privilege pattern already established by the existing permissions block. github.token is the standard automatically-scoped token — no elevated credentials are introduced.

Minor observations (non-blocking)

1. Permission duplication — checks: read and statuses: read are declared both at the job level and inside additional_permissions. The job-level block controls what the GITHUB_TOKEN can do; additional_permissions is an action-specific hint for the Claude action's own tooling. The duplication is harmless and intentional by the action's design, but worth knowing if someone later audits the file.

2. Pre-existing: pull-requests: read (no write) — Not introduced by this PR, but worth noting: if Claude is expected to post comments in response to being tagged, the action will need pull-requests: write and issues: write at some point. Read-only is fine for a purely passive/diagnostic role.

3. Trailing blank lines (lines 55-56) — Two extra blank lines at EOF; cosmetically minor.