Add checks/statuses read permissions to Claude workflow

[justin808]

Applies the workflow update from shakacode/react_on_rails#2487:

• add checks: read and statuses: read to job permissions
• pass github_token: ${{ github.token }} to anthropics/claude-code-action
• add checks: read and statuses: read to additional_permissions

Admin merge requested to keep rollout fast across repos.

---

Note

Low Risk
Low risk workflow-permissions change; it only expands the GitHub token scope to read checks/statuses so the Claude action can view CI results.

Overview
Updates the Claude Code GitHub Actions workflow to let anthropics/claude-code-action read CI check runs and commit statuses.

This adds checks: read and statuses: read to the job permissions and the action’s additional_permissions, and passes github_token: ${{ github.token }} into the action.

^{Written by Cursor Bugbot for commit 44ffbf3. Configure here.}

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow permissions to enhance pull request CI integration and status visibility.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 61dd2ca and 44ffbf3.

📒 Files selected for processing (1)

• .github/workflows/claude.yml

---

Walkthrough

The .github/workflows/claude.yml file is updated to grant the Claude Code Action enhanced permissions for reading GitHub CI checks and statuses. The GitHub token is now explicitly passed to the Claude step, enabling it to access build results from pull requests.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Configuration .github/workflows/claude.yml	Added checks: read and statuses: read permissions to job permissions and claude step's additional_permissions block. Introduced github_token: ${{ github.token }} parameter to the claude action step to enable token-based access.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Claude hops deeper into the garden's code,
With tokens in paw and permissions bestowed,
Checks and statuses now in view,
The rabbit's assistant sees workflows anew! 🌿✨

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch codex/apply-claude-yml-permissions-20260301

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

PR Review: Add checks/statuses read permissions to Claude workflow

Summary: This is a clean, minimal, and low-risk workflow permissions change. The additions are consistent with existing patterns in the file.

What looks good

• Minimal permission scope: Adding only checks: read and statuses: read follows the principle of least privilege — these are read-only scopes.
• Consistency: The new permissions are correctly added in both places — the job-level permissions block and the additional_permissions input to claude-code-action. This mirrors how actions: read was handled.
• Explicit token passing: Adding github_token: ${{ github.token }} is good practice; it makes the token dependency explicit rather than implicit.

Minor observations

1. Possible redundancy in additional_permissions: The additional_permissions input to anthropics/claude-code-action lists scopes that are already present in the job-level permissions block (actions: read, checks: read, statuses: read). Whether this is truly redundant depends on how the action uses additional_permissions internally (e.g., requesting a scoped fine-grained token via OIDC). If additional_permissions is just documentation/config for the action to know what it can use, the duplication is harmless. Worth verifying in the action docs that this is the intended usage pattern.

2. Trailing blank lines: The file ends with two blank lines (lines 55–56). Not a blocker, but a minor nit.

Verdict

The change is straightforward and correctly scoped. Low risk, approves the intent and implementation.

[claude]

Possible redundancy: actions: read, checks: read, and statuses: read are already granted at the job level via the permissions block above. This additional_permissions input likely informs the Claude action which scopes it may use when constructing its own GitHub API calls — so the duplication is probably intentional. Confirm with the claude-code-action docs that this is the expected pattern.

[greptile-apps]

Greptile Summary

Expanded GitHub Actions workflow permissions to allow the Claude Code action to read CI check runs and commit statuses. The changes add checks: read and statuses: read permissions at both the job level and in the action's additional_permissions configuration, and pass the github_token to the action.

• Added read-only permissions for checks and statuses (safe permission expansion)
• Passed github_token to the action to enable use of these permissions
• Changes are consistent with the existing pattern for actions: read permission

Confidence Score: 5/5

• This PR is safe to merge with no risk
• The changes only add read-only permissions to the workflow, following established patterns. No logic changes, no security concerns, and the modifications are straightforward and well-documented.
• No files require special attention

Important Files Changed

Filename	Overview
.github/workflows/claude.yml	Added read-only permissions for checks and statuses to enable Claude action to view CI results

_{Last reviewed commit: 44ffbf3}