Add checks/statuses read permissions to Claude workflow

[justin808]

Applies the workflow update from shakacode/react_on_rails#2487:

• add checks: read and statuses: read to job permissions
• pass github_token: ${{ github.token }} to anthropics/claude-code-action
• add checks: read and statuses: read to additional_permissions

Admin merge requested to keep rollout fast across repos.

---

Note

Low Risk
Low risk workflow-only change that expands GitHub token permissions to read checks/statuses, which could expose additional CI metadata if misused but does not affect application runtime.

Overview
Updates the Claude Code GitHub Actions workflow to let the Claude action read CI results by adding checks: read and statuses: read to the job permissions and to the action’s additional_permissions.

Also passes github_token: ${{ github.token }} into anthropics/claude-code-action@v1 so it can authenticate with these permissions when running.

^{Written by Cursor Bugbot for commit 73e31d7. Configure here.}

Summary by CodeRabbit

• Chores
  • Enhanced continuous integration workflow configuration to improve integration with GitHub's CI checks and status tracking systems.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1b8859d and 73e31d7.

📒 Files selected for processing (1)

• .github/workflows/claude.yml

---

Walkthrough

GitHub Actions workflow configuration updated to extend Claude's CI access by adding read permissions for checks and statuses, and introducing a github_token input to the claude-code-action step.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Configuration .github/workflows/claude.yml	Added read permissions for checks and statuses to the workflow job and additional_permissions block. Introduced github_token input parameter to the claude-code-action step.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 The token hops through workflows bright,
With permissions newly won,
Checks and statuses in sight,
Claude's access has begun!
GitHub secrets, safe and tight, ✨

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch codex/apply-claude-yml-permissions-20260301

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Review: Add checks/statuses read permissions to Claude workflow

This is a clean, well-scoped workflow-only change. Here is the assessment:

Correctness

• Adding checks: read and statuses: read at the job-level permissions block correctly grants the GITHUB_TOKEN those scopes for the entire job. ✓
• Mirroring them in additional_permissions of the Claude action follows the established pattern from the referenced PR and is consistent with how actions: read was already handled. ✓
• Explicitly passing github_token: ${{ github.token }} is a good transparency practice — it makes the token handoff visible rather than relying on implicit ambient access. ✓

Security

• All new permissions are read-only. They expose CI metadata (check runs, commit statuses) but grant no write capability.
• The GITHUB_TOKEN is already scoped to this repository and expires at the end of the workflow run, bounding any exposure.
• pull-requests remains read (not write), so Claude cannot post comments via this token — it still relies on CLAUDE_CODE_OAUTH_TOKEN for interactive operations. This is the expected split of responsibilities.

Minor observation (non-blocking)
The additional_permissions block now lists actions: read, checks: read, and statuses: read — all three of which are already declared at the job-level permissions block. There is no functional issue here (the job-level grant is what matters for GITHUB_TOKEN), but it is worth confirming with the anthropics/claude-code-action docs whether additional_permissions serves a distinct purpose (e.g., a secondary OIDC token request) or is purely informational. If it is just documentation/config for the action's own logic, the duplication is fine.

Overall: LGTM. The change is minimal, accurate, and appropriately low-risk.