Fix API key billing mode for Max plan#72
Merged
Conversation
Changes: - Replace anthropic_api_key with claude_code_oauth_token to use Max plan instead of API billing - Upgrade permissions from read to write for pull-requests and issues (needed for posting reviews/comments) - Add show_full_output: true to both workflows for better error visibility This fixes the issue where Claude workflows were trying to use API billing mode instead of the Max subscription plan, and couldn't post reviews due to insufficient permissions.
|
No issues found. Checked for bugs and CLAUDE.md compliance. |
- Restore claude-code-review.yml and claude.yml workflows - Use claude_code_oauth_token for Max plan billing instead of API key - Add github_token for OIDC authentication - Set pull-requests and issues to write permissions for posting reviews/comments
Resolved conflicts by keeping the modified GitHub Actions workflows with OAuth token configuration. Master branch had reverted these workflows, but we're re-introducing them with fixes: - Use claude_code_oauth_token instead of anthropic_api_key for Max plan billing - Add github_token for OIDC authentication - Upgrade permissions to write for pull-requests and issues
Code reviewNo issues found. Checked for bugs and CLAUDE.md compliance. |
piatoss3612
commented
Jan 8, 2026
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| pull-requests: write |
There was a problem hiding this comment.
Claude finished @piatoss3612's task in 46s —— View job
Analysis of write permissions in workflow
- Read the workflow file to understand permission configuration
- Analyze security implications
- Provide recommendation
Answer
Yes, these write permissions are necessary and safe for the Claude Code workflow. Here's why:
Permissions breakdown (.github/workflows/claude.yml:21-26):
permissions:
contents: read # Read repository code
pull-requests: write # Line 23 - Post/update PR comments
issues: write # Post/update issue comments
id-token: write # OIDC authentication
actions: read # Read CI resultsWhy pull-requests: write and issues: write are needed:
-
Core functionality: Claude Code needs to post and update comments on PRs and issues to communicate with you. Without write permissions, Claude cannot respond to your
@claudementions. -
Scoped appropriately: These permissions only allow:
- Creating/updating comments
- NOT merging PRs
- NOT modifying repository code directly
- NOT approving PRs
-
Standard practice: This is the recommended configuration for the Claude Code GitHub Action.
Security considerations:
✅ Safe because:
- Uses
GITHUB_TOKENwith automatic scoping to this repository only - Permissions are minimal for the required functionality
- Action only runs when explicitly triggered by
@claudementions - All code changes require explicit push via git commands
- Uses OIDC (
id-token: write) for secure authentication
Both workflow files (.github/workflows/claude.yml and .github/workflows/claude-code-review.yml) use identical permission sets, which is correct for their functionality.
Only run code review for PR authors who are: - OWNER: Repository owners - MEMBER: Organization members - COLLABORATOR: Repository collaborators This prevents external contributors and first-time contributors from triggering automated code reviews.
Add author_association checks for all event types: - issue_comment: Only OWNER/MEMBER/COLLABORATOR can mention @claude in issue comments - pull_request_review_comment: Only OWNER/MEMBER/COLLABORATOR can mention @claude in PR review comments - pull_request_review: Only OWNER/MEMBER/COLLABORATOR can mention @claude in PR reviews - issues: Only OWNER/MEMBER/COLLABORATOR can mention @claude in issue body/title This prevents external contributors from invoking Claude via @claude mentions.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.