From d76ab2761744aefd6d17401d3e2f130f4042b4ce Mon Sep 17 00:00:00 2001 From: Tom Longhurst <30480171+thomhurst@users.noreply.github.com> Date: Sat, 27 Dec 2025 16:22:47 +0000 Subject: [PATCH 1/2] fix: move permissions to workflow level for OIDC token access MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Move the `permissions:` block from the job level to the workflow level to ensure the OIDC token is available for the claude-code-action. Job-level permissions may not properly propagate the ACTIONS_ID_TOKEN_REQUEST_URL environment variable needed for id-token: write to function correctly. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 --- .github/workflows/claude-code-review.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml index 8452b0f2ff..5467a9d47f 100644 --- a/.github/workflows/claude-code-review.yml +++ b/.github/workflows/claude-code-review.yml @@ -10,6 +10,12 @@ on: # - "src/**/*.js" # - "src/**/*.jsx" +permissions: + contents: read + pull-requests: read + issues: read + id-token: write + jobs: claude-review: # Optional: Filter by PR author @@ -19,11 +25,6 @@ jobs: # github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR' runs-on: ubuntu-latest - permissions: - contents: read - pull-requests: read - issues: read - id-token: write steps: - name: Checkout repository From 0650ab3335df719ede5e35c14ca217cf29a3536d Mon Sep 17 00:00:00 2001 From: Tom Longhurst <30480171+thomhurst@users.noreply.github.com> Date: Sat, 27 Dec 2025 16:24:10 +0000 Subject: [PATCH 2/2] fix: grant pull-requests write permission for commenting MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The workflow uses `gh pr comment` which requires write access to pull requests, not just read access. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 --- .github/workflows/claude-code-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml index 5467a9d47f..7d48e5bbb4 100644 --- a/.github/workflows/claude-code-review.yml +++ b/.github/workflows/claude-code-review.yml @@ -12,7 +12,7 @@ on: permissions: contents: read - pull-requests: read + pull-requests: write issues: read id-token: write