Add checks/statuses read permissions to Claude workflow

[justin808]

Applies the workflow update from shakacode/react_on_rails#2487.

---

Note

Low Risk
Low risk: GitHub Actions workflow-only permission changes expanding read-only access to CI check runs/statuses for the Claude job.

Overview
Allows the claude.yml GitHub Actions job to read PR CI results by adding checks: read and statuses: read to the workflow permissions (and additional_permissions passed to the action), and by passing github_token to anthropics/claude-code-action.

^{Written by Cursor Bugbot for commit 7497326. Configure here.}

[coderabbitai]

Warning

Rate limit exceeded

@justin808 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 25 minutes and 53 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between d68d654 and 7497326.

📒 Files selected for processing (1)

• .github/workflows/claude.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch codex/apply-claude-yml-permissions-20260301

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR expands the Claude workflow permissions to include read access for checks and statuses, enabling the action to read CI results on pull requests. The changes are minimal and focused:

• Added checks: read and statuses: read to job-level permissions
• Passed github_token to the action for authentication
• Updated additional_permissions configuration to include the new read permissions

All changes are read-only permissions, posing no security risk. The implementation is consistent across both the job permissions and the action configuration.

Confidence Score: 5/5

• This PR is safe to merge with no risk
• The changes only add read-only permissions to a GitHub Actions workflow, which cannot introduce bugs or break functionality. The syntax is correct, the implementation is consistent, and the permissions align with the stated purpose of reading CI results.
• No files require special attention

Important Files Changed

Filename	Overview
.github/workflows/claude.yml	Added read permissions for checks/statuses and passed github_token to enable CI result reading

_{Last reviewed commit: 7497326}

[claude]

PR Review: Add checks/statuses read permissions to Claude workflow

This is a clean, focused, low-risk change. Here is my assessment:

What is changing

• Adds checks: read and statuses: read to the job-level permissions block
• Explicitly passes github_token to the action
• Mirrors the new permissions in the additional_permissions block of the action

Security

All additions are read-only permissions with no elevated write access. This follows the principle of least privilege, only adding what is needed for Claude to observe CI results.

Correctness

• checks: read grants access to the GitHub Checks API (Actions workflow runs, check suites, check runs)
• statuses: read grants access to the legacy commit statuses API
• Passing github_token explicitly ensures the action uses the scoped workflow token (with the restricted permissions declared above) rather than any ambient credential

Minor Observation

The additional_permissions block inside the action config appears to be documentation or intent signaling to the Claude action about what GitHub APIs it may call. It mirrors but does not replace the job-level permissions block. Both are needed and consistent here, so no issue.

Verdict

LGTM. The change is minimal, well-described, and aligns with the referenced pattern from shakacode/react_on_rails#2487.