Add checks/statuses read permissions to Claude workflow

[justin808]

Applies the workflow update from shakacode/react_on_rails#2487:

• add checks: read and statuses: read to job permissions
• pass github_token: ${{ github.token }} to anthropics/claude-code-action
• add checks: read and statuses: read to additional_permissions

Admin merge requested to keep rollout fast across repos.

---

Note

Low Risk
Low risk workflow-only change that broadens the GitHub token permissions for the Claude job to read CI check/status metadata.

Overview
Updates the Claude Code GitHub Actions workflow to let the anthropics/claude-code-action read PR CI results by adding checks: read and statuses: read permissions.

Also passes github_token: ${{ github.token }} into the action and mirrors the same permissions under additional_permissions so the action can query check runs/statuses.

^{Written by Cursor Bugbot for commit a12f31e. Configure here.}

[coderabbitai]

Warning

Rate limit exceeded

@justin808 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 26 minutes and 50 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 0918b24 and a12f31e.

📒 Files selected for processing (1)

• .github/workflows/claude.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch codex/apply-claude-yml-permissions-20260301

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

PR Review: Add checks/statuses read permissions to Claude workflow

The change is clean, minimal, and correctly scoped. A few observations:

What's Good

• The permissions follow the principle of least privilege — only read access is requested, not write.
• Adding checks: read and statuses: read is the correct way to let the action inspect CI results without escalating to broader permissions.
• Explicitly passing github_token: ${{ github.token }} is a good practice — it makes the token flow explicit rather than relying on ambient environment variables.
• Mirroring the permissions in both the job-level permissions: block and the action's additional_permissions: input is consistent with how anthropics/claude-code-action expects the configuration.

Minor Observations

1. Duplicate actions: read declaration — actions: read is already listed at the job level (line 26) with a comment, but the additional_permissions block also includes it (line 44). This is not a bug — the action likely uses this input for its own internal API calls — but it is worth keeping in mind that the two blocks serve different purposes (job-level token vs. the action's own GitHub client).

2. pull-requests: read vs. write — The job only has pull-requests: read. If a future use case requires Claude to post PR review comments directly (not just read), this will need to be bumped to write. Worth noting for later reference.

3. id-token: write still present — This permission enables OIDC federation. It's presumably needed for authenticating the OAuth token exchange, but it's the highest-impact permission in the block. No action needed now, just worth confirming this is intentional for the token auth flow.

Security Assessment

Low risk. All new permissions are read-only and scoped to CI metadata. No write permissions were added. The change appropriately mirrors an established pattern from shakacode/react_on_rails#2487.