fix: grant write permissions to claude-code-review workflow

[Copilot]

The Claude Code Review workflow was failing with 401 Unauthorized during OIDC token exchange because pull-requests and issues were set to read — insufficient for posting review comments.

Change

permissions:
  contents: read
  pull-requests: write  # was: read
  issues: write         # was: read
  id-token: write

Original prompt

Problem

The Claude Code Review workflow (.github/workflows/claude-code-review.yml) is failing with:

App token exchange failed: 401 Unauthorized - User does not have write access on this repository

See failing run: https://github.com/kimocoder/wifite2/actions/runs/23277044472

Root Cause

The workflow's permissions block has pull-requests: read and issues: read, but the action needs write access to post review comments on PRs. The OIDC token exchange fails because the workflow identity only has read access.

Current permissions:

permissions:
  contents: read
  pull-requests: read    # ← Problem: needs write
  issues: read           # ← Problem: needs write
  id-token: write

Fix Required

In .github/workflows/claude-code-review.yml, change the permissions block to:

permissions:
  contents: read
  pull-requests: write    # ← Changed from 'read' to 'write'
  issues: write           # ← Changed from 'read' to 'write'
  id-token: write

This is the only change needed. Do not modify any other part of the workflow file.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: How to properly fix the Claude workflow?

Assistant:

Let me investigate the failing workflow run and the repository's workflow configuration to understand the issue.

Assistant: Now I have a clear picture of the problem. Let me look more closely at the failing workflow file and understand the specific issue.

Diagnosis: Why Your Claude Code Review Workflow Is Failing

The failing run (#23277044472) is from the claude-code-review.yml workflow, and the error is:

401 Unauthorized - User does not have write access on this repository

This happens during the OIDC token → App token exchange step. The root cause is a permissions mismatch in your workflow file.

---

The Problem

Here's your current claude-code-review.yml permissions block:

    permissions:
      contents: read
      pull-requests: read
      issues: read
      id-token: write

The workflow uses claude_code_oauth_token with OIDC (id-token: write) to exchange for an app token that can post review comments. However, the pull-requests and issues permissions are set to read, so when the action tries to exchange the OIDC token for an app token with write capabilities, it fails because the workflow's GITHUB_TOKEN (and the OIDC identity it represents) only has read access.

---

The Fix

You need to grant write permissions for pull-requests and issues so that the action can actually post review comments. Here's the corrected workflow:

name: Claude Code Review

on:
  pull_request:
    types: [opened, synchronize, ready_for_review, reopened]

jobs:
  claude-review:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write    # ← Changed from 'read' to 'write'
      issues: write           # ← Changed from 'read' to 'write'
      id-token: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 1

      - name: Run Claude Code Review
        id: claude-review
        uses: anthropics/claude-code-action@v1
        with:
          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
          plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
          plugins: 'code-review@claude-code-plugins'
          prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'

Key changes:

Permission	Before	After	Why
pull-requests	read	write	The action needs to post review comments on PRs
issues	read	write	The action needs to write comments on issues

---

Additional Checks

1. Ensure the Claude Code GitHub App is installed on your repository with write access. Go to Settings → GitHub Apps (or Integrations) on your repo and verify the Anthropic/Claude app has the correct repository permissions (read & write for Pull Requests, Issues, and Contents).

2. Verify the CLAUDE_CODE_OAUTH_TOKEN secret exists — go to Settings → Secrets and variables → Actions and confirm it's set.

3. You also have a second workflow (claude.yml) that uses anthropic_api_key instead of OIDC. That's a different auth method and shouldn't conflict, but be aware you have two Claude workflows that could both trigger on pull_request events. You may want to consolidate them or disable one to avoid duplicate reviews.

---

Would you like me to create a PR with this fix appli...

This pull request was created from Copilot chat.

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[Copilot]

Pull request overview

This PR updates the GitHub Actions permissions for the Claude Code Review workflow so it can successfully exchange its OIDC token and post review comments (fixing the 401 Unauthorized failure during token exchange).

Changes:

• Change pull-requests permission from read to write.
• Change issues permission from read to write.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.