Add checks/statuses read permissions to Claude workflow

[justin808]

Applies the workflow update from shakacode/react_on_rails#2487:

• add checks: read and statuses: read to job permissions
• pass github_token: ${{ github.token }} to anthropics/claude-code-action
• add checks: read and statuses: read to additional_permissions

Admin merge requested to keep rollout fast across repos.

---

Note

Low Risk
Low risk workflow configuration change that only broadens the Claude job’s read-only GitHub permissions and passes the default github.token to the action. Main risk is unintended exposure of additional CI metadata to the action, not code/runtime behavior changes.

Overview
Updates the Claude Code GitHub Actions workflow to let anthropics/claude-code-action read CI check runs and commit statuses.

The job now includes checks: read and statuses: read in both workflow permissions and the action’s additional_permissions, and passes github_token: ${{ github.token }} to the action for authenticated GitHub API access.

^{Written by Cursor Bugbot for commit fe68ac8. Configure here.}

[coderabbitai]

Warning

Rate limit exceeded

@justin808 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 27 minutes and 2 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 3610214 and fe68ac8.

📒 Files selected for processing (1)

• .github/workflows/claude.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch codex/apply-claude-yml-permissions-20260301

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR adds read-only GitHub permissions to the Claude Code workflow to enable reading CI check runs and commit statuses. The changes are minimal and safe:

• Added checks: read and statuses: read to job-level permissions
• Passed github_token: ${{ github.token }} to the action for authenticated GitHub API access
• Added matching permissions to additional_permissions for the claude-code-action

All added permissions are read-only, following the principle of least privilege. The configuration is syntactically correct and consistent across both permission blocks.

Confidence Score: 5/5

• This PR is safe to merge with no risk
• All changes are read-only permission additions to a workflow file with correct syntax and no logical issues
• No files require special attention

Important Files Changed

Filename	Overview
.github/workflows/claude.yml	Added read-only permissions (checks: read, statuses: read) to both job-level and action-level, plus github_token parameter for authenticated API access

_{Last reviewed commit: fe68ac8}

[claude]

PR Review

Status: LGTM — This is a minimal, low-risk workflow configuration change.

What the change does

• Adds checks: read and statuses: read to the job-level permissions block so GitHub provides those scopes to the runner token.
• Passes github_token explicitly to claude-code-action, enabling authenticated GitHub API calls (check runs, statuses, etc.) via the repository-scoped default token.
• Mirrors both new permissions in additional_permissions so the action is aware it can use them.

Notes

1. Principle of least privilege respected — all new permissions are read-only. No write scopes were added.
2. Token scoping is correct — The default github.token is automatically scoped to the repository and expires when the job finishes, so passing it explicitly here carries no elevated risk.
3. Duplication between job permissions and additional_permissions is intentional and correct — the job-level block controls what GitHub provides to the runner; additional_permissions tells the action which of those scopes to use when making GitHub API calls.
4. Pre-existing note (not introduced by this PR): the job currently holds only pull-requests: read. If Claude ever needs to post inline review comments via github_token rather than via its OAuth token, that scope would need to be elevated to pull-requests: write. Worth keeping in mind if that use case arises in future.