Skip to content

fix: move permissions to workflow level for OIDC token access #4173

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
thomhurst merged 2 commits into from
Dec 27, 2025
Merged

fix: move permissions to workflow level for OIDC token access #4173

thomhurst merged 2 commits into from
Dec 27, 2025

Conversation

Copy link
Contributor

Copilot AI commented Dec 26, 2025
edited by thomhurst
Loading

Summary

  • Moved permissions: block from job level to workflow level in claude-code-review.yml
  • Changed pull-requests: read to pull-requests: write to allow commenting on PRs

Problem

  1. The workflow was failing with errors fetching the OIDC token due to missing ACTIONS_ID_TOKEN_REQUEST_URL environment variable. Job-level permissions don't always properly propagate this for actions that require OIDC tokens.
  2. The workflow uses gh pr comment which requires write access to pull requests.

Solution

  • Move permissions to workflow level (below on: and above jobs:)
  • Grant pull-requests: write instead of read to enable commenting

🤖 Generated with Claude Code

Copilot AI requested a review from thomhurst December 26, 2025 23:34
@thomhurst @claude
fix: move permissions to workflow level for OIDC token access
d76ab27 
Move the `permissions:` block from the job level to the workflow level
to ensure the OIDC token is available for the claude-code-action.

Job-level permissions may not properly propagate the ACTIONS_ID_TOKEN_REQUEST_URL
environment variable needed for id-token: write to function correctly.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@thomhurst thomhurst force-pushed the copilot/fix-oidc-token-permissions branch from 6d13815 to d76ab27 Compare December 27, 2025 16:23
@thomhurst thomhurst changed the title [WIP] Fix OIDC token permission configuration in workflow fix: move permissions to workflow level for OIDC token access Dec 27, 2025
@thomhurst thomhurst marked this pull request as ready for review December 27, 2025 16:23
@thomhurst @claude
fix: grant pull-requests write permission for commenting
0650ab3 
The workflow uses `gh pr comment` which requires write access to
pull requests, not just read access.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@thomhurst thomhurst merged commit 618593f into main Dec 27, 2025
10 of 13 checks passed
@thomhurst thomhurst deleted the copilot/fix-oidc-token-permissions branch December 27, 2025 16:27
This was referenced Dec 29, 2025
Open
Open
Closed
Closed
Open
Closed
Open
Closed
Closed
Open
Merged
Open
Open
This was referenced Dec 29, 2025
Open
Open
Open
Open
Merged
Open
Merged
Open
Merged
Open
Open
Closed
Open
Merged
Open
Open
Merged
Open
Open
Open
Merged
Open
Open
Open
Merged
Closed
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thomhurst thomhurst Awaiting requested review from thomhurst

Assignees

@thomhurst thomhurst

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thomhurst