Skip to content

Fix API key billing mode for Max plan #72

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
piatoss3612 merged 8 commits into from
Jan 8, 2026
Merged

Fix API key billing mode for Max plan #72

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
a703d77
Fix Claude GitHub Actions to use OAuth token for Max plan billing
claude Jan 7, 2026
e26009d
Remove show_full_output from workflows
claude Jan 7, 2026
0fdf4ac
Add github_token to workflows for OIDC authentication
claude Jan 7, 2026
3a9270f
Revert GitHub Actions workflows to match master branch
claude Jan 7, 2026
5a2b596
Re-add GitHub Actions workflows with OAuth token configuration
claude Jan 7, 2026
8bc84dd
Merge branch 'master' into claude/fix-api-billing-mode-MFpG8
claude Jan 7, 2026
35dfb83
Restrict Claude code review to organization members only
claude Jan 8, 2026
a8aa062
Restrict @claude mentions to organization members only
claude Jan 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions .github/workflows/claude-code-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
name: Claude Code Review

on:
pull_request:
types: [opened, synchronize, ready_for_review, reopened]
# Optional: Only run on specific file changes
# paths:
# - "src/**/*.ts"
# - "src/**/*.tsx"
# - "src/**/*.js"
# - "src/**/*.jsx"

jobs:
claude-review:
# Only run for organization members, owners, and collaborators
if: |
github.event.pull_request.author_association == 'OWNER' ||
github.event.pull_request.author_association == 'MEMBER' ||
github.event.pull_request.author_association == 'COLLABORATOR'

runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
issues: write
id-token: write

steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1

- name: Run Claude Code Review
id: claude-review
uses: anthropics/claude-code-action@v1
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
plugins: 'code-review@claude-code-plugins'
prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'
# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
# or https://code.claude.com/docs/en/cli-reference for available options
56 changes: 56 additions & 0 deletions .github/workflows/claude.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
name: Claude Code

on:
issue_comment:
types: [created]
pull_request_review_comment:
types: [created]
issues:
types: [opened, assigned]
pull_request_review:
types: [submitted]

jobs:
claude:
if: |
(
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude') &&
(github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'COLLABORATOR')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude') &&
(github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'COLLABORATOR')) ||
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude') &&
(github.event.review.author_association == 'OWNER' || github.event.review.author_association == 'MEMBER' || github.event.review.author_association == 'COLLABORATOR')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) &&
(github.event.issue.author_association == 'OWNER' || github.event.issue.author_association == 'MEMBER' || github.event.issue.author_association == 'COLLABORATOR'))
)
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
Copy link
Copy Markdown
Member Author

@piatoss3612 piatoss3612 Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@claude
is it okay to give write permission?

Copy link
Copy Markdown

@github-actions github-actions Bot Jan 8, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude finished @piatoss3612's task in 46s —— View job

Analysis of write permissions in workflow

  • Read the workflow file to understand permission configuration
  • Analyze security implications
  • Provide recommendation

Answer

Yes, these write permissions are necessary and safe for the Claude Code workflow. Here's why:

Permissions breakdown (.github/workflows/claude.yml:21-26):

permissions:
  contents: read           # Read repository code
  pull-requests: write     # Line 23 - Post/update PR comments
  issues: write            # Post/update issue comments
  id-token: write          # OIDC authentication
  actions: read            # Read CI results

Why pull-requests: write and issues: write are needed:

  1. Core functionality: Claude Code needs to post and update comments on PRs and issues to communicate with you. Without write permissions, Claude cannot respond to your @claude mentions.

  2. Scoped appropriately: These permissions only allow:

    • Creating/updating comments
    • NOT merging PRs
    • NOT modifying repository code directly
    • NOT approving PRs

  3. Standard practice: This is the recommended configuration for the Claude Code GitHub Action.

Security considerations:

Safe because:

  • Uses GITHUB_TOKEN with automatic scoping to this repository only
  • Permissions are minimal for the required functionality
  • Action only runs when explicitly triggered by @claude mentions
  • All code changes require explicit push via git commands
  • Uses OIDC (id-token: write) for secure authentication

⚠️ Important: The workflow does allow Claude to push commits to branches when you request code changes. If you want to prevent this, you'd need to restrict Claude's allowed tools, but then it couldn't implement code changes for you.

Both workflow files (.github/workflows/claude.yml and .github/workflows/claude-code-review.yml) use identical permission sets, which is correct for their functionality.

issues: write
id-token: write
actions: read # Required for Claude to read CI results on PRs
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1

- name: Run Claude Code
id: claude
uses: anthropics/claude-code-action@v1
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

# This is an optional setting that allows Claude to read CI results on PRs
additional_permissions: |
actions: read

# Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.
# prompt: 'Update the pull request description to include a summary of changes.'

# Optional: Add claude_args to customize behavior and configuration
# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
# or https://code.claude.com/docs/en/cli-reference for available options
# claude_args: '--allowed-tools Bash(gh pr:*)'