fix(gha): Add id-token write permission and switch to GH_TOKEN for Claude actions

[MervinPraison]

Fixes OIDC token fetch failure and 401 Bad Credentials errors in the Claude workflows.

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow configuration for improved authentication handling.

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[qodo-code-review]

Review Summary by Qodo

Fix OIDC token and authentication in Claude workflows

🐞 Bug fix

Walkthroughs

Description

• Add id-token: write permission to Claude workflow
• Replace PAT_TOKEN with GH_TOKEN in both workflows
• Fixes OIDC token fetch and authentication errors

Diagram

flowchart LR
  A["Claude Workflows"] -->|Add id-token permission| B["OIDC Token Access"]
  A -->|Replace PAT_TOKEN| C["GH_TOKEN"]
  B --> D["Fixed Authentication"]
  C --> D

Loading

File Changes

1. .github/workflows/claude.yml 🐞 Bug fix +2/-1

Add id-token permission and switch to GH_TOKEN

• Added id-token: write permission to job permissions
• Changed github_token from secrets.PAT_TOKEN to secrets.GH_TOKEN
• Enables OIDC token generation for Claude Code Action

.github/workflows/claude.yml

---

2. .github/workflows/claude-issue-triage.yml 🐞 Bug fix +1/-1

Switch to GH_TOKEN for authentication

• Changed github_token from secrets.PAT_TOKEN to secrets.GH_TOKEN
• Updates authentication mechanism for Claude Issue Triage Action

.github/workflows/claude-issue-triage.yml

---

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c6d29478-3589-46e3-ac30-1a0fd3156e27

📥 Commits

Reviewing files that changed from the base of the PR and between a0e4a76 and 36c2e76.

📒 Files selected for processing (2)

• .github/workflows/claude-issue-triage.yml
• .github/workflows/claude.yml

---

📝 Walkthrough

Walkthrough

The PR updates two GitHub Actions workflows to modify token authentication handling. It replaces references to secrets.PAT_TOKEN with secrets.GH_TOKEN in Claude action invocations across both workflows and adds id-token: write permission to the claude-response job.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Token Updates .github/workflows/claude-issue-triage.yml, .github/workflows/claude.yml	Changed github_token input parameter from secrets.PAT_TOKEN to secrets.GH_TOKEN in Claude action calls across both workflows.
Job Permissions Enhancement .github/workflows/claude.yml	Added id-token: write permission to the claude-response job.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Add Claude Code GitHub Workflow #486: Updates the same Claude workflow by changing the github_token input to GH_TOKEN and adding id-token write permission.
• Update Claude Code action to use GitHub token for authentication, enh… #654: Modifies the same GitHub Actions workflow step in claude.yml to swap the GitHub secret passed to the Claude action.
• Add GitHub Container Registry login step and update Claude Code actio… #649: Updates the claude.yml workflow with job permission changes and GitHub token input modifications for the Claude action.

Suggested labels

Review effort 4/5

Poem

🐰 From PAT to GH, the tokens now flow,
With permissions granted, our workflows will glow,
Two workflows aligned, one secret so true,
Claude's actions can now do what they're meant to do! 🔐✨

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/gha-claude-oidc-token

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. OIDC with unpinned action 🐞 Bug ⛨ Security

Description

claude.yml now grants id-token: write while running anthropics/claude-code-action@beta (a
mutable tag), increasing supply-chain impact because a compromised tag update could mint OIDC tokens
in your job context. Pin the third-party action to an immutable commit SHA (or a trusted release
digest) before enabling OIDC token issuance.

Code

.github/workflows/claude.yml[R29-32]

      pull-requests: write
      issues: write
      actions: read
+      id-token: write

Evidence

The job explicitly enables OIDC token minting (id-token: write) and also invokes a third-party
action by mutable tag (@beta), which is not immutable and can change without review. With OIDC
enabled, any unexpected code execution in that action runs with the ability to request OIDC tokens
in this workflow context.

.github/workflows/claude.yml[27-42]
.github/workflows/claude.yml[39-42]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The workflow grants `id-token: write` but uses `anthropics/claude-code-action@beta`, which is a mutable reference. This increases the supply-chain blast radius because the referenced code can change without being reviewed in this repo.

### Issue Context
`id-token: write` enables OIDC token requests in the job. Third-party actions referenced by mutable tags should be pinned to an immutable commit SHA (or equivalent immutable identifier) before granting sensitive permissions.

### Fix Focus Areas
- .github/workflows/claude.yml[27-45]

### What to change
- Replace `anthropics/claude-code-action@beta` with a commit-SHA-pinned reference (or an immutable release reference provided by the publisher).
- Keep `id-token: write` only if OIDC is still required after the pin.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. GH_TOKEN secret dependency 🐞 Bug ☼ Reliability

Description

Workflows now rely on secrets.GH_TOKEN for GitHub authentication, creating an operational
dependency where an unset/rotated secret will cause 401/auth failures in the Claude steps. For
in-repo Claude actions, github_token can default to ${{ github.token }} (repo-scoped) so you can
avoid the custom secret where elevated privileges are not required.

Code

.github/workflows/claude-issue-triage.yml[R22-23]

          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
-          github_token: ${{ secrets.PAT_TOKEN }} 
+          github_token: ${{ secrets.GH_TOKEN }} 

Evidence

Both updated workflows pass secrets.GH_TOKEN as the github_token. Separately, the in-repo
claude-code-action already supports a repo-scoped default token (${{ github.token }}), which
avoids requiring a separately managed secret for many operations.

.github/workflows/claude-issue-triage.yml[19-23]
.github/workflows/claude.yml[39-44]
.github/actions/claude-code-action/action.yml[4-12]
.github/actions/claude-issue-triage-action/action.yml[4-15]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The workflows now depend on `secrets.GH_TOKEN`. If the secret is missing or rotated incorrectly, the Claude steps will authenticate with an empty/invalid token and fail.

### Issue Context
Your in-repo Claude action supports a safe default GitHub token (`${{ github.token }}`), which works with the workflow/job `permissions` model and removes the need for a separately managed PAT-like secret in many cases.

### Fix Focus Areas
- .github/workflows/claude-issue-triage.yml[19-23]
- .github/workflows/claude.yml[39-44]
- .github/actions/claude-code-action/action.yml[4-12]

### What to change
- Where elevated, non-`GITHUB_TOKEN` privileges are not strictly required, pass `${{ github.token }}` (or omit the input if the action defaults it) instead of `secrets.GH_TOKEN`.
- If `GH_TOKEN` is required (e.g., to act as a specific user/app), document that requirement and ensure the secret’s expected scopes are maintained during rotation.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[Copilot]

Pull request overview

Updates the Claude GitHub Actions workflows to fix authentication failures by enabling OIDC token minting and using a different GitHub token secret for API access.

Changes:

• Add id-token: write job permission to allow OIDC token requests in the main Claude workflow.
• Switch Claude workflows from secrets.PAT_TOKEN to secrets.GH_TOKEN for the github_token input.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/claude.yml	Adds OIDC id-token permission and switches github_token to secrets.GH_TOKEN.
.github/workflows/claude-issue-triage.yml	Switches github_token to secrets.GH_TOKEN.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Trailing whitespace after the secret expression can trigger YAML/style lint failures and makes diffs noisier. Please remove the extra space after ${{ secrets.GH_TOKEN }}.

Suggested change

	github_token: ${{ secrets.GH_TOKEN }}
	github_token: ${{ secrets.GH_TOKEN }}

[qodo-code-review]

1. Oidc with unpinned action 🐞 Bug ⛨ Security

claude.yml now grants id-token: write while running anthropics/claude-code-action@beta (a
mutable tag), increasing supply-chain impact because a compromised tag update could mint OIDC tokens
in your job context. Pin the third-party action to an immutable commit SHA (or a trusted release
digest) before enabling OIDC token issuance.

Agent Prompt

### Issue description
The workflow grants `id-token: write` but uses `anthropics/claude-code-action@beta`, which is a mutable reference. This increases the supply-chain blast radius because the referenced code can change without being reviewed in this repo.

### Issue Context
`id-token: write` enables OIDC token requests in the job. Third-party actions referenced by mutable tags should be pinned to an immutable commit SHA (or equivalent immutable identifier) before granting sensitive permissions.

### Fix Focus Areas
- .github/workflows/claude.yml[27-45]

### What to change
- Replace `anthropics/claude-code-action@beta` with a commit-SHA-pinned reference (or an immutable release reference provided by the publisher).
- Keep `id-token: write` only if OIDC is still required after the pin.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[github-actions]

@copilot Do a thorough review of this PR. Read ALL existing reviewer comments above first.

Review areas:

1. Bloat check: Are changes minimal and focused?
2. Security: Any hardcoded secrets, unsafe eval/exec, missing input validation?
3. Performance: Any module-level heavy imports? Hot-path regressions?
4. Tests: Are tests included? Do they cover the changes adequately?
5. Backward compat: Any public API changes without deprecation?
6. Code quality: DRY violations, naming conventions, error handling?
7. Suggest specific improvements with code examples where possible