fix: move permissions to workflow level for OIDC token access

thomhurst · claude · thomhurst · commit d76ab2761744 · 2025-12-27T16:22:47.000Z
Move the `permissions:` block from the job level to the workflow level to ensure the OIDC token is available for the claude-code-action. Job-level permissions may not properly propagate the ACTIONS_ID_TOKEN_REQUEST_URL environment variable needed for id-token: write to function correctly. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
@@ -10,6 +10,12 @@ on:
     #   - "src/**/*.js"
     #   - "src/**/*.jsx"
 
+permissions:
+  contents: read
+  pull-requests: read
+  issues: read
+  id-token: write
+
 jobs:
   claude-review:
     # Optional: Filter by PR author
@@ -19,11 +25,6 @@ jobs:
     #   github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
 
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: read
-      issues: read
-      id-token: write
 
     steps:
       - name: Checkout repository
