Skip to content
Merged
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
95 changes: 95 additions & 0 deletions .github/workflows/claude.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
name: Claude Code

on:
issue_comment:
types: [created]
pull_request_review_comment:
types: [created]
pull_request:
types: [opened, synchronize, ready_for_review, reopened]
paths:
- "src/**"
- "tests/**"
pull_request_review:
types: [submitted]

jobs:
claude-review:
runs-on: ubuntu-latest
timeout-minutes: 15
concurrency:
group: claude-review-${{ github.event.pull_request.number }}
cancel-in-progress: true
permissions:
contents: read
pull-requests: read
issues: read
id-token: write
actions: read
Comment on lines +24 to +29

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

find .github -name "claude.yml" -type f

Repository: plastic-labs/honcho

Length of output: 91


🏁 Script executed:

cat -n .github/workflows/claude.yml | head -100

Repository: plastic-labs/honcho

Length of output: 4335


🌐 Web query:

anthropics/claude-code-action GitHub OIDC id-token requirements

💡 Result:

For anthropics/claude-code-action, the GitHub Actions OIDC id-token permission is only required when the action is using OIDC-based authentication (not when you explicitly pass a GitHub token).

When you DO need permissions: id-token: write

1) Using the default Claude GitHub App authentication (OIDC)

If you rely on the Claude GitHub App’s default auth flow, your workflow/job must grant OIDC token minting:

permissions:
  id-token: write

Otherwise runs fail with an OIDC error like “Unable to get ACTIONS_ID_TOKEN_REQUEST_URL … Did you remember to add id-token: write…”. [1]

This exact missing-permission failure has been reported as a critical issue for generated workflows. [2]

2) Using cloud-provider OIDC (AWS Bedrock / Google Vertex AI)

If you authenticate to AWS/GCP from GitHub Actions via Workload Identity/OIDC (as Anthropic’s docs describe for Bedrock/Vertex setups), you will also need id-token: write for those OIDC federation steps. [3]

When you DON’T need id-token: write

If you provide a github_token input (PAT or GitHub App installation token) and don’t use the OIDC-based default flow, you can avoid the OIDC id-token requirement. [1]


Sources:
[1] claude-code-action FAQ (OIDC errors / id-token: write vs github_token input) https://git.homeinfra.org/actions/claude-code-action/src/tag/v0.0.35/FAQ.md
[2] GitHub issue: missing id-token: write causes OIDC failure anthropics/claude-code-action#625
[3] Anthropic docs (Bedrock/Vertex prerequisites include GitHub OIDC / Workload Identity) https://docs.anthropic.com/en/docs/claude-code/github-actions


Remove id-token: write from both job permissions blocks.

The anthropics/claude-code-action is configured with an explicit claude_code_oauth_token, not relying on GitHub's default OIDC authentication. Since an OAuth token is provided directly, the id-token: write permission is unnecessary and can be removed to tighten least-privilege access.

♻️ Changes required at lines 24-29 and 68-73
     permissions:
       contents: read
       pull-requests: read
       issues: read
-      id-token: write
       actions: read
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
contents: read
pull-requests: read
issues: read
id-token: write
actions: read
permissions:
contents: read
pull-requests: read
issues: read
actions: read
🤖 Prompt for AI Agents
In @.github/workflows/claude.yml around lines 24 - 29, Remove the unnecessary
id-token: write permission from the workflow's job permissions blocks: locate
the permissions map(s) containing keys like contents, pull-requests, issues,
id-token, actions and delete the id-token: write entry in each block (the
workflow uses explicit claude_code_oauth_token so OIDC id-token is not needed)
while keeping the other permissions intact to enforce least-privilege.


steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1

- name: Run Claude Code Review
id: claude-review
uses: anthropics/claude-code-action@v1
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
Comment thread
VVoruganti marked this conversation as resolved.
plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
plugins: 'code-review@claude-code-plugins'
prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'
# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
# or https://code.claude.com/docs/en/cli-reference for available options

Comment thread
coderabbitai[bot] marked this conversation as resolved.
claude:
if: |
(github.event_name == 'issue_comment' &&
github.event.issue.pull_request &&
contains(github.event.comment.body, '@claude') &&
(github.event.comment.author_association == 'OWNER' ||
github.event.comment.author_association == 'MEMBER' ||
github.event.comment.author_association == 'COLLABORATOR')) ||
(github.event_name == 'pull_request_review_comment' &&
contains(github.event.comment.body, '@claude') &&
(github.event.comment.author_association == 'OWNER' ||
github.event.comment.author_association == 'MEMBER' ||
github.event.comment.author_association == 'COLLABORATOR')) ||
(github.event_name == 'pull_request_review' &&
contains(github.event.review.body, '@claude') &&
(github.event.review.author_association == 'OWNER' ||
github.event.review.author_association == 'MEMBER' ||
github.event.review.author_association == 'COLLABORATOR'))
runs-on: ubuntu-latest
timeout-minutes: 15
permissions:
contents: read
pull-requests: read
issues: read
id-token: write
actions: read # Required for Claude to read CI results on PRs
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1

- name: Run Claude Code
id: claude
uses: anthropics/claude-code-action@v1
with:
Comment thread
Rajat-Ahuja1997 marked this conversation as resolved.
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

# This is an optional setting that allows Claude to read CI results on PRs
additional_permissions: |
actions: read

# Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.
# prompt: 'Update the pull request description to include a summary of changes.'

# Optional: Add claude_args to customize behavior and configuration
# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
# or https://code.claude.com/docs/en/cli-reference for available options
# claude_args: '--allowed-tools Bash(gh pr:*)'
Loading