Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

PR Review: Add checks/statuses read permissions to Claude workflow

Note: This PR has already been merged. Feedback below is for documentation purposes.

Summary

This is a clean, low-risk workflow-only change. The additions are correct and consistent with how the action is configured.

What looks good

• Minimal scope: Only read permissions are added — no write access escalation.
• Consistent pattern: Follows the same pattern as the existing actions: read permission.
• Explicit token passing: Passing github_token: ${{ github.token }} explicitly makes the authentication flow clearer.
• Cross-repo consistency: Syncing from shakacode/react_on_rails#2487 is a sound practice.

Minor observations

1. Missing inline comments on new permissions: The existing actions: read line has a comment (# Required for Claude to read CI results on PRs) but the new checks: read and statuses: read lines do not. Adding similar comments would improve readability and help future maintainers understand why each permission exists.

2. Apparent duplication between permissions: and additional_permissions:: actions: read, checks: read, and statuses: read appear in both the job-level permissions: block and the additional_permissions action input. This is likely intentional — the job-level block grants the token actual permissions, while additional_permissions may be used by the action internally (e.g., for OIDC token requests or self-documentation). Worth confirming this is the intended design with the action's docs to avoid confusion.

3. Trailing blank lines: Two trailing blank lines at the end of the file — cosmetic only.

Overall: Approved — the change is correct and safe.

Greptile Summary

This PR expands the GitHub token permissions for the Claude Code workflow by adding checks: read and statuses: read — two read-only permissions that allow the action to inspect CI check runs and commit statuses. It also explicitly passes github_token: ${{ github.token }} into anthropics/claude-code-action@v1 so the action can use the workflow token when querying GitHub APIs.

• Adds checks: read and statuses: read to the job-level permissions block alongside the already-present actions: read.
• Adds the same two permissions to the additional_permissions input of the Claude action, keeping both lists in sync.
• Passes github_token: ${{ github.token }} to the action — the token's scope is constrained by the job's permissions block, so this does not grant any write access beyond what was already present.
• All new permissions are read-only; the broader id-token: write permission that enables OIDC was already in place before this PR.

Confidence Score: 5/5

• This PR is safe to merge; it only adds read-only GitHub API permissions and passes the scoped workflow token to the action.
• The change is minimal (6 lines added, 0 deleted in a single YAML file), all new permissions are strictly read-only, and the github_token passed to the action is bounded by the job's permissions block. There are no write-permission escalations and no changes to secrets handling.
• No files require special attention.

Important Files Changed

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[GitHub Event triggered] -->|comment contains @claude| B[Claude Workflow runs]
    B --> C[Scoped workflow token issued\nwith read-only permissions]
    C --> D[claude-code-action receives\nworkflow token + OAuth token]
    D --> E{Reads CI data via\nGitHub REST API}
    E --> F[Check runs - NEW]
    E --> G[Commit statuses - NEW]
    E --> H[Actions runs - existing]
    F & G & H --> I[Claude generates response\nand posts to PR or issue]

_{Last reviewed commit: 845c524}