Add workflow-level permissions for Claude Code actions #206
Conversation
|
Warning Rate limit exceeded@justin808 has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 10 minutes and 19 seconds before requesting another review. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. 📒 Files selected for processing (1)
WalkthroughTwo GitHub workflow files receive top-level permissions blocks granting read access to contents, pull-requests, and issues, plus write access to id-token. The first workflow additionally grants read access to actions. Existing per-job permissions remain unchanged. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
Pre-merge checks and finishing touches❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/workflows/claude.yml (1)
47-48: Redundant permissions configuration.The
additional_permissions: actions: read(lines 47–48) duplicates the workflow-levelpermissions.actions: read(line 18). You can remove this block since the permission is already granted at the workflow level and inherited by the job.Apply this diff to remove the redundant block:
- name: Run Claude Code id: claude uses: anthropics/claude-code-action@v1 with: claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} - - # This is an optional setting that allows Claude to read CI results on PRs - additional_permissions: | - actions: read # Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (6)
.github/FUNDING.yml(1 hunks).github/workflows/claude-code-review.yml(1 hunks).github/workflows/claude.yml(1 hunks).github/workflows/ruby.yml(1 hunks)README.md(1 hunks)cypress-on-rails.gemspec(1 hunks)
🔇 Additional comments (8)
.github/FUNDING.yml (1)
1-1: Configuration syntax is correct.This GitHub funding configuration is properly formatted and will correctly display sponsorship links for the shakacode organization.
README.md (1)
1-3: Deprecation notice is clear and user-facing.The prominent deprecation messaging at the top directs users to the new
cypress_on_railsgem with a direct link. This aligns with the gemspec changes and provides clear migration guidance..github/workflows/claude-code-review.yml (2)
13-17: Workflow-level OIDC permissions correctly configured.The
id-token: writepermission is present at the workflow level (lines 13–17) as required for the Claude Code action to authenticate via OIDC. This addresses the PR objective.
40-62: Claude action invocation is well-scoped.The workflow properly restricts
claude_argsto safe GitHub CLI commands (lines 60–62), limiting the action to read PR/issue data and post comments. The prompt structure is clear with actionable review criteria.One minor note: Line 56 references a
CLAUDE.mdfile for guidance—verify this file exists in the repository, or the reference will not provide value..github/workflows/claude.yml (2)
13-18: Workflow-level OIDC and actions permissions correctly configured.The
id-token: writepermission is present at the workflow level (line 17) as required for OIDC authentication. Theactions: readpermission (line 18) allows Claude to inspect CI results on PRs.
22-26: Conditional logic properly guards event-driven execution.The conditional ensures the Claude job only runs when
@claudeis mentioned in comments, reviews, or issue bodies, preventing unnecessary invocations and reducing noise..github/workflows/ruby.yml (1)
39-40: Verify intentionality of bundler version downgrade.Rails 7.2 and Rails 8 are downgrading to bundler
< 2(lines 39–40 and 58–59), which is unusual since both Rails versions and the associated Ruby versions support bundler 2.x. Verify that this downgrade is necessary for project-specific constraints (e.g., legacy Gemfile lock format or gemspec requirements).Also applies to: 58-59
cypress-on-rails.gemspec (1)
11-22: Clear deprecation messaging with actionable next steps.The updated summary, description, and post-install message consistently communicate the deprecation and direct users to the new
cypress_on_railsgem with a direct link. This aligns with the README deprecation notice and provides a seamless user experience across installation, documentation, and gem metadata.
| - name: Run tests | ||
| run: bundle exec rake | ||
| - name: Run interaction tests | ||
| run: ./specs_e2e/rails_6_1/test.sh |
There was a problem hiding this comment.
🧩 Analysis chain
Verify external test script paths exist.
Each job references an external shell script (./specs_e2e/rails_[version]/test.sh, lines 23, 42, 61). Ensure these scripts exist in the repository and are executable. If not present, the workflow will fail at runtime.
Also applies to: 42-42, 61-61
🏁 Script executed:
#!/bin/bash
# Verify test script paths exist
for script in ./specs_e2e/rails_6_1/test.sh ./specs_e2e/rails_7_2/test.sh ./specs_e2e/rails_8/test.sh; do
if [ -f "$script" ]; then
echo "✓ $script exists"
else
echo "✗ $script MISSING"
fi
doneLength of output: 117
I need to explore the directory structure further to understand the full scope of this issue.
🏁 Script executed:
#!/bin/bash
# Explore specs_e2e directory structure
echo "=== Directory listing of specs_e2e (if exists) ==="
if [ -d "./specs_e2e" ]; then
find ./specs_e2e -type f -name "*.sh" 2>/dev/null | head -20
echo ""
echo "=== Full specs_e2e structure ==="
ls -la ./specs_e2e/ 2>/dev/null || echo "Directory exists but no contents"
else
echo "specs_e2e directory does not exist"
fi
echo ""
echo "=== Check .github/workflows/ruby.yml content ==="
cat .github/workflows/ruby.yml 2>/dev/null | head -80Length of output: 1635
Create missing test scripts or update workflow paths.
The specs_e2e directory and all three referenced test scripts do not exist in the repository:
./specs_e2e/rails_6_1/test.sh(line 23)./specs_e2e/rails_7_2/test.sh(line 42)./specs_e2e/rails_8/test.sh(line 61)
The workflow will fail at runtime when these steps execute. Either create the missing scripts and directory structure, provide correct paths if they exist elsewhere, or remove these steps from the workflow.
🤖 Prompt for AI Agents
.github/workflows/ruby.yml lines ~23, 42, 61: the workflow references three
missing scripts (./specs_e2e/rails_6_1/test.sh, ./specs_e2e/rails_7_2/test.sh,
./specs_e2e/rails_8/test.sh) which will cause CI failures; fix by either (A)
creating the specs_e2e directory and the three test.sh scripts with executable
permissions and committing them, (B) updating the workflow to point to the
correct existing script paths if they live elsewhere, or (C) removing or
disabling these steps from the workflow if the tests are not needed, and then
run the workflow locally or via a dry-run to verify paths execute successfully
before pushing.
|
@claude review this PR |
|
Claude finished @justin808's task —— View job Review of PR #206: Add workflow-level permissions for Claude Code actionsTodo List
Code Review FindingsSummaryThis PR adds workflow-level OIDC permissions to fix authentication errors in the Claude Code GitHub Actions. The changes are functionally correct and address the stated problem, but there are some issues to address. Scope Mismatch Issue
|
The Claude Code GitHub Action requires id-token: write permission to authenticate via OIDC. While the permissions were set at the job level, GitHub Actions requires them at the workflow level for proper OIDC token generation. This commit adds workflow-level permissions to both claude.yml and claude-code-review.yml to fix the OIDC authentication error: "Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable" 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
justin808
force-pushed
the
justin808/fix-claude-action-oidc
branch
from
e53f1d3 to
f57ceb3
Compare
|
@claude review this PR. |
|
Claude finished @justin808's task —— View job Review of PR #206: Add workflow-level permissions for Claude Code actionsTodo List
SummaryThis PR correctly adds workflow-level OIDC permissions to fix authentication errors in the Claude Code GitHub Actions. The changes are functionally correct and address the stated problem effectively. Detailed Review1. Core Fix: Workflow-Level Permissions ✅Files: The addition of workflow-level permissions:
contents: read
pull-requests: read
issues: read
id-token: write
actions: read # Only in claude.ymlWhy this works: GitHub Actions requires Verdict: ✅ Correct implementation 2. Redundant Permission Configuration
|
Created detailed guidance document for Claude Code agents working on cypress-playwright-on-rails gem, covering: - Critical testing and code quality requirements - Common commands for development workflow - Project architecture and request flow patterns - Testing patterns for unit and integration tests - Code style conventions and best practices - Backward compatibility guidelines - Changelog contribution guidelines - Security considerations for E2E testing - Multi-framework support (Cypress and Playwright) - VCR middleware variants and factory patterns - Rails version compatibility notes - Contributing workflow Inspired by ShakaCode's react_on_rails and shakapacker CLAUDE.md files, with specific focus on this gem's unique testing framework integration patterns. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
|
@claude review this PR |
|
Claude finished @justin808's task —— View job Review of PR #206: Add workflow-level permissions for Claude Code actionsTodo List
SummaryThis PR correctly adds workflow-level OIDC permissions to fix authentication errors in the Claude Code GitHub Actions, and adds a comprehensive CLAUDE.md guidance file for Claude agents. The changes are functionally correct and well-executed. Detailed Review1. Core Fix: Workflow-Level Permissions ✅Files: The addition of workflow-level permissions:
contents: read
pull-requests: read
issues: read
id-token: write
actions: read # Only in claude.ymlWhy this works: GitHub Actions requires Verdict: ✅ Correct implementation 2. Excellent Addition: CLAUDE.md ✅The new Highlights:
This file provides exactly the guidance needed for Claude agents to work effectively with this codebase. Verdict: ✅ Excellent addition 3. Redundant Permission Configuration
|
Summary
id-token: writepermission to both Claude workflowsProblem
The Claude Code GitHub Action was failing with OIDC token errors because GitHub Actions requires permissions at the workflow level for OIDC token generation, not just at the job level.
Solution
Added
permissionsblock at the workflow level (before thejobssection) in:.github/workflows/claude.yml.github/workflows/claude-code-review.ymlTest Plan
🤖 Generated with Claude Code
Summary by CodeRabbit