Add workflow-level permissions for Claude Code actions

[justin808]

Summary

• Added workflow-level id-token: write permission to both Claude workflows
• Fixes OIDC authentication error: "Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable"

Problem

The Claude Code GitHub Action was failing with OIDC token errors because GitHub Actions requires permissions at the workflow level for OIDC token generation, not just at the job level.

Solution

Added permissions block at the workflow level (before the jobs section) in:

• .github/workflows/claude.yml
• .github/workflows/claude-code-review.yml

Test Plan

• Verify CI passes on this PR
• Confirm Claude Code action can authenticate successfully

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated GitHub workflow configurations to refine permissions for automated processes.

[coderabbitai]

Walkthrough

Two GitHub workflow files receive top-level permissions blocks granting read access to contents, pull-requests, and issues, plus write access to id-token. The first workflow additionally grants read access to actions. Existing per-job permissions remain unchanged.

Changes

Cohort / File(s)	Summary
Workflow permissions ​.github/workflows/claude-code-review.yml, ​.github/workflows/claude.yml	Added top-level permissions blocks granting contents, pull-requests, and issues read access; id-token write access (claude.yml also grants actions read access). Per-job permissions left intact.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A rabbit hops through workflows bright,
Permissions granted left and right,
Read this, write that, all set to go,
Security blooming, watch it grow!
–CR 🔐✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The pull request title "Add workflow-level permissions for Claude Code actions" directly and accurately reflects the main change in the changeset. Both modified workflow files (.github/workflows/claude.yml and .github/workflows/claude-code-review.yml) have workflow-level permissions blocks added to address OIDC authentication requirements. The title is specific and clear—it identifies both the action being performed (adding permissions) and the scope (workflow-level for Claude Code actions)—without vague language or unnecessary noise. A teammate scanning the repository history would immediately understand that this PR introduced workflow-level permission configurations for Claude Code workflows.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch justin808/fix-claude-action-oidc

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f43bd34 and f57ceb3.

📒 Files selected for processing (2)

• .github/workflows/claude-code-review.yml (1 hunks)
• .github/workflows/claude.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/claude-code-review.yml
• .github/workflows/claude.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: rails_8
• GitHub Check: rails_7_2
• GitHub Check: rails_6_1

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/claude.yml (1)

47-48: Redundant permissions configuration.

The additional_permissions: actions: read (lines 47–48) duplicates the workflow-level permissions.actions: read (line 18). You can remove this block since the permission is already granted at the workflow level and inherited by the job.

Apply this diff to remove the redundant block:

      - name: Run Claude Code
        id: claude
        uses: anthropics/claude-code-action@v1
        with:
          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-          
-          # This is an optional setting that allows Claude to read CI results on PRs
-          additional_permissions: |
-            actions: read

          # Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a1a7dd6 and f43bd34.

📒 Files selected for processing (6)

• .github/FUNDING.yml (1 hunks)
• .github/workflows/claude-code-review.yml (1 hunks)
• .github/workflows/claude.yml (1 hunks)
• .github/workflows/ruby.yml (1 hunks)
• README.md (1 hunks)
• cypress-on-rails.gemspec (1 hunks)

🔇 Additional comments (8)

.github/FUNDING.yml (1)

1-1: Configuration syntax is correct.

This GitHub funding configuration is properly formatted and will correctly display sponsorship links for the shakacode organization.

README.md (1)

1-3: Deprecation notice is clear and user-facing.

The prominent deprecation messaging at the top directs users to the new cypress_on_rails gem with a direct link. This aligns with the gemspec changes and provides clear migration guidance.

.github/workflows/claude-code-review.yml (2)

13-17: Workflow-level OIDC permissions correctly configured.

The id-token: write permission is present at the workflow level (lines 13–17) as required for the Claude Code action to authenticate via OIDC. This addresses the PR objective.

---

40-62: Claude action invocation is well-scoped.

The workflow properly restricts claude_args to safe GitHub CLI commands (lines 60–62), limiting the action to read PR/issue data and post comments. The prompt structure is clear with actionable review criteria.

One minor note: Line 56 references a CLAUDE.md file for guidance—verify this file exists in the repository, or the reference will not provide value.

.github/workflows/claude.yml (2)

13-18: Workflow-level OIDC and actions permissions correctly configured.

The id-token: write permission is present at the workflow level (line 17) as required for OIDC authentication. The actions: read permission (line 18) allows Claude to inspect CI results on PRs.

---

22-26: Conditional logic properly guards event-driven execution.

The conditional ensures the Claude job only runs when @claude is mentioned in comments, reviews, or issue bodies, preventing unnecessary invocations and reducing noise.

.github/workflows/ruby.yml (1)

39-40: Verify intentionality of bundler version downgrade.

Rails 7.2 and Rails 8 are downgrading to bundler < 2 (lines 39–40 and 58–59), which is unusual since both Rails versions and the associated Ruby versions support bundler 2.x. Verify that this downgrade is necessary for project-specific constraints (e.g., legacy Gemfile lock format or gemspec requirements).

Also applies to: 58-59

cypress-on-rails.gemspec (1)

11-22: Clear deprecation messaging with actionable next steps.

The updated summary, description, and post-install message consistently communicate the deprecation and direct users to the new cypress_on_rails gem with a direct link. This aligns with the README deprecation notice and provides a seamless user experience across installation, documentation, and gem metadata.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify external test script paths exist.

Each job references an external shell script (./specs_e2e/rails_[version]/test.sh, lines 23, 42, 61). Ensure these scripts exist in the repository and are executable. If not present, the workflow will fail at runtime.

Also applies to: 42-42, 61-61

---

🏁 Script executed:

#!/bin/bash
# Verify test script paths exist
for script in ./specs_e2e/rails_6_1/test.sh ./specs_e2e/rails_7_2/test.sh ./specs_e2e/rails_8/test.sh; do
  if [ -f "$script" ]; then
    echo "✓ $script exists"
  else
    echo "✗ $script MISSING"
  fi
done

Length of output: 117

---

I need to explore the directory structure further to understand the full scope of this issue.

---

🏁 Script executed:

#!/bin/bash
# Explore specs_e2e directory structure
echo "=== Directory listing of specs_e2e (if exists) ==="
if [ -d "./specs_e2e" ]; then
  find ./specs_e2e -type f -name "*.sh" 2>/dev/null | head -20
  echo ""
  echo "=== Full specs_e2e structure ==="
  ls -la ./specs_e2e/ 2>/dev/null || echo "Directory exists but no contents"
else
  echo "specs_e2e directory does not exist"
fi
echo ""
echo "=== Check .github/workflows/ruby.yml content ==="
cat .github/workflows/ruby.yml 2>/dev/null | head -80

Length of output: 1635

---

Create missing test scripts or update workflow paths.

The specs_e2e directory and all three referenced test scripts do not exist in the repository:

• ./specs_e2e/rails_6_1/test.sh (line 23)
• ./specs_e2e/rails_7_2/test.sh (line 42)
• ./specs_e2e/rails_8/test.sh (line 61)

The workflow will fail at runtime when these steps execute. Either create the missing scripts and directory structure, provide correct paths if they exist elsewhere, or remove these steps from the workflow.

🤖 Prompt for AI Agents

.github/workflows/ruby.yml lines ~23, 42, 61: the workflow references three
missing scripts (./specs_e2e/rails_6_1/test.sh, ./specs_e2e/rails_7_2/test.sh,
./specs_e2e/rails_8/test.sh) which will cause CI failures; fix by either (A)
creating the specs_e2e directory and the three test.sh scripts with executable
permissions and committing them, (B) updating the workflow to point to the
correct existing script paths if they live elsewhere, or (C) removing or
disabling these steps from the workflow if the tests are not needed, and then
run the workflow locally or via a dry-run to verify paths execute successfully
before pushing.

[justin808]

@claude review this PR

[claude]

Claude finished @justin808's task —— View job

---

Review of PR #206: Add workflow-level permissions for Claude Code actions

Todo List

• Read changed workflow files
• Check for CLAUDE.md file existence
• Analyze permission changes
• Review security implications
• Provide comprehensive feedback

---

Code Review Findings

Summary

This PR adds workflow-level OIDC permissions to fix authentication errors in the Claude Code GitHub Actions. The changes are functionally correct and address the stated problem, but there are some issues to address.

Scope Mismatch Issue ⚠️

The PR title and description do not match the actual changes. According to the changed files list, only 2 files were modified:

• .github/workflows/claude-code-review.yml
• .github/workflows/claude.yml

However, the commit f43bd34 shows 4 files were created/modified:

• .github/FUNDING.yml (NEW)
• .github/workflows/claude-code-review.yml (NEW)
• .github/workflows/claude.yml (NEW)
• .github/workflows/ruby.yml (NEW)

Issue: The PR description states "Changed Files: 2 files" but the commit added 4 files including a CI workflow and funding configuration that are unrelated to OIDC permissions.

---

Detailed Review

1. Permissions Fix (Primary Goal) ✅

.github/workflows/claude-code-review.yml:13-17 and .github/workflows/claude.yml:13-18

The workflow-level id-token: write permission has been correctly added:

permissions:
  contents: read
  pull-requests: read
  issues: read
  id-token: write

This properly fixes the OIDC authentication error mentioned in the PR description. GitHub Actions requires id-token: write at the workflow level for OIDC token generation, not just at the job level.

Verdict: ✅ Correct implementation

---

2. Redundant Permission Configuration ⚠️

.github/workflows/claude.yml:47-48

There's a redundant additional_permissions block:

# This is an optional setting that allows Claude to read CI results on PRs
additional_permissions: |
  actions: read

This duplicates the workflow-level permission already set at line 18:

permissions:
  ...
  actions: read

Recommendation: Remove the additional_permissions block since the permission is inherited from the workflow level. The comment at line 46 is also misleading since it says "optional" when it's already granted.

Location: .github/workflows/claude.yml:46-48

---

3. Missing CLAUDE.md File ⚠️

.github/workflows/claude-code-review.yml:56

The workflow references a CLAUDE.md file:

Use the repository's CLAUDE.md for guidance on style and conventions.

However, my search found no CLAUDE.md file exists in the repository. This means Claude will not have the guidance referenced in the prompt.

Recommendation: Either:

• Create a CLAUDE.md file with repo-specific coding standards and conventions
• Or remove this line from the prompt

Location: .github/workflows/claude-code-review.yml:56

---

4. Unrelated Files in Commit ❌

The commit adds files unrelated to the PR's stated purpose:

.github/FUNDING.yml - GitHub funding configuration
.github/workflows/ruby.yml - Full CI workflow for Rails 6.1, 7.2, and 8

These should be in separate PRs:

• Funding configuration is administrative metadata
• The Ruby CI workflow is a substantial addition with its own testing concerns

Critical Issue in ruby.yml: The test scripts referenced don't exist:

• ./specs_e2e/rails_6_1/test.sh (line 23)
• ./specs_e2e/rails_7_2/test.sh (line 42)
• ./specs_e2e/rails_8/test.sh (line 61)

These will cause CI failures when the workflow runs.

Recommendation: Split this PR into three separate PRs:

1. OIDC permissions fix (current PR scope)
2. Add funding configuration
3. Add Ruby CI workflow (after creating the test scripts)

---

5. Security Review ✅

The permission grants are appropriate and follow the principle of least privilege:

Workflow-level permissions:

• contents: read - Safe, read-only access
• pull-requests: read - Safe, read-only access
• issues: read - Safe, read-only access
• id-token: write - Required for OIDC, scoped appropriately
• actions: read - Safe, allows reading CI results

claude_args restrictions (.github/workflows/claude-code-review.yml:62):
The allowed tools are properly restricted to read-only GitHub CLI commands:

'--allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"'

Verdict: ✅ Security permissions are appropriately scoped

---

6. Job-level Permission Duplication

Both workflows duplicate permissions at the job level that are already set at the workflow level:

.github/workflows/claude-code-review.yml:28-32
.github/workflows/claude.yml:28-33

This is not harmful but creates maintenance overhead. If you update workflow-level permissions, you must remember to update job-level ones too.

Recommendation: Remove job-level permissions since they're inherited from workflow level, or document why both levels are needed.

---

Final Recommendations

Must Fix:

1. Remove unrelated files from this PR (.github/FUNDING.yml, .github/workflows/ruby.yml) and create separate PRs for them
2. Fix or remove the CLAUDE.md reference in claude-code-review.yml:56
3. Do not merge ruby.yml until the test scripts exist (they will cause CI failures)

Should Fix:

4. Remove redundant additional_permissions block from claude.yml:46-48
5. Consider removing duplicate job-level permissions or document why they're needed

Nice to Have:

6. Update PR title/description to accurately reflect all changes if keeping the extra files

---

Conclusion

The core OIDC permissions fix is correct and solves the stated problem. However, the PR includes unrelated changes that should be separated, and there are some redundancies that should be cleaned up. I recommend addressing the "Must Fix" items before merging.