Skip to content

fix: add workflows permission to Claude Code action #41

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
thomasht86 merged 1 commit into from
Jan 7, 2026
Merged

fix: add workflows permission to Claude Code action #41

thomasht86 merged 1 commit into from
Jan 7, 2026

Conversation

@thomasht86
Copy link
Owner

@thomasht86 thomasht86 commented Jan 7, 2026

Summary

  • Add workflows: write permission to Claude Code workflow
  • Enables Claude to modify workflow files (e.g., .github/workflows/CI.yml)
  • Fixes the blocker in We need to add support for python 3.9 #39 where Claude couldn't push changes that included workflow file modifications

Context

In issue #39, Claude completed all the Python 3.9 support changes but was blocked from pushing because the changes included an update to CI.yml to add Python 3.9 to the test matrix. GitHub requires explicit workflows permission to modify files in .github/workflows/.

Test plan

🤖 Generated with Claude Code

@thomasht86 @claude
fix: add workflows permission to Claude Code action
3105fed 
Add `workflows: write` permission to allow Claude to modify
workflow files (e.g., CI.yml) when implementing changes that
require CI matrix updates.

Fixes #39 (unblocks Claude from pushing workflow changes)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@thomasht86 thomasht86 merged commit d484246 into main Jan 7, 2026
11 checks passed
@claude
Copy link

claude bot commented Jan 7, 2026

Code Review Summary

Overall Assessment: ✅ APPROVED - This is a well-justified, minimal change that solves a real problem.

Code Quality & Best Practices ✅

Strengths:

  • Minimal change: Single line addition following existing permission declaration style
  • Proper formatting: Consistent indentation and inline comment matching other permissions
  • Well-documented: Clear PR description explaining the "why" with concrete reference to issue We need to add support for python 3.9 #39
  • Follows principle of least privilege: Only adds the specific permission needed

Style:

  • Follows existing conventions perfectly (inline comments, alignment, YAML formatting)

Functionality & Correctness ✅

Assessment:

  • ✅ Correct permission name (workflows: write)
  • ✅ Appropriate scope for the use case (allowing Claude to modify .github/workflows/ files)
  • ✅ Solves the documented blocker in We need to add support for python 3.9 #39 where CI.yml modifications were rejected

GitHub Actions Permissions Context:
The workflows: write permission is specifically required by GitHub to modify any files under .github/workflows/. Without it, pushes containing workflow changes are rejected even with contents: write.

Security Considerations ⚠️ (Minor)

Risk Profile:

  • Medium trust boundary: This grants Claude the ability to modify CI/CD pipelines
  • Implications: A compromised API key or malicious prompt could potentially:
    • Modify workflow files to exfiltrate secrets
    • Alter build/test processes
    • Change deployment procedures

Mitigations in place:

  • ✅ Workflow only triggers on explicit @claude mentions (lines 15-19)
  • ✅ Runs in context of a trusted action (anthropics/claude-code-action@v1)
  • ✅ API key stored as GitHub secret (not exposed in code)
  • ✅ Permission is necessary for legitimate use case (adding Python 3.9 to test matrix)

Recommendation:

  • This is acceptable risk for a project using Claude Code as an automated contributor
  • Consider documenting in CLAUDE.md that workflow modifications should be reviewed carefully
  • Current PR review process (as evidenced by this review) provides good oversight

Test Coverage ✅

Manual Testing Plan (from PR description):
The PR includes a clear test plan:

  1. Merge this PR
  2. Re-trigger Claude on We need to add support for python 3.9 #39 to verify it can now push workflow changes

Suggestion:
After merge, verify that:

  • Claude successfully pushes changes including CI.yml modifications
  • The workflow still respects the trigger conditions (doesn't run unexpectedly)

Performance Considerations ✅

Impact: None - this is a declarative permission change with no runtime impact.

Additional Notes

Related Documentation:

Alternatives Considered:
None needed - this is the correct solution for the problem.

Verdict

LGTM! 🚀 This PR should be merged. It's a necessary permission addition that's well-justified, minimal, and follows security best practices for automated tooling.

The only caveat is the security consideration around workflow modification, but this is inherent to using Claude Code for repository-wide changes and is appropriately mitigated by the trigger conditions and review process.

@thomasht86 thomasht86 mentioned this pull request Jan 7, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thomasht86