From 2f0f9d3c7ea00c5b354abfa2d7529b527c0c5983 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Wed, 17 Jun 2026 19:09:41 +0000
Subject: [PATCH] claude.yml: grant actions:write so @claude can dispatch code
 review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The post-Claude steps call `gh workflow run claude-code-review.yml` to
fire the dedicated reviewer via workflow_dispatch, but the job granted
only `actions: read`. The workflow_dispatch REST endpoint
(POST /actions/workflows/{id}/dispatches) requires `actions: write` for
GITHUB_TOKEN, so every dispatch returned

  HTTP 403: Resource not accessible by integration

and was swallowed by the `|| echo "::warning::"` fallback — the
code-review never auto-ran. Directly observed on PR #900 run
27598978484 (the @claude-review dispatch 403'd silently); no dispatched
claude-code-review.yml run has succeeded from claude.yml as a result.

Bump `actions: read` -> `actions: write` (a superset, so Claude's
CI-result reads still work) and correct the now-inaccurate dispatch
comment to note the write requirement.

Workflow/infra-only change, kept in its own PR per CLAUDE.md.
---
 .github/workflows/claude.yml | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
index 6235ad123..0e99226f7 100644
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -57,7 +57,17 @@ jobs:
       pull-requests: write
       issues: write
       id-token: write
-      actions: read # Required for Claude to read CI results on PRs
+      # `write` (not `read`) is required: besides letting Claude read CI
+      # results on PRs, the post-Claude steps below call `gh workflow run
+      # claude-code-review.yml` (the workflow_dispatch REST endpoint
+      # `POST /actions/workflows/{id}/dispatches`), which GITHUB_TOKEN can
+      # only reach with `actions: write`. With `actions: read` every
+      # dispatch 403s ("Resource not accessible by integration") and is
+      # swallowed by the `|| echo "::warning::"` fallback, so the
+      # code-review never auto-runs (observed on PR #900, run
+      # 27598978484: the @claude-review dispatch 403'd silently). `write`
+      # is a superset of `read`, so CI reads still work.
+      actions: write
     # Expose the ucdavis/epi202 and ucdavis/epi204 fine-grained PATs to
     # every step in this job, including the Claude action's subprocess.
     # See .github/copilot-instructions.md ("Accessing the private
@@ -847,11 +857,13 @@ jobs:
             gh api -X POST \
               "repos/${{ github.repository }}/pulls/$PR_NUMBER/requested_reviewers" \
               -f "reviewers[]=d-morrison" || true
-            # Fire claude-code-review.yml via workflow_dispatch. The default
-            # GITHUB_TOKEN is permitted to trigger workflow_dispatch (unlike
-            # push, which is blocked to avoid recursion), and the review
-            # workflow's own `concurrency` group will cancel any in-flight
-            # review for this PR so the freshest diff wins.
+            # Fire claude-code-review.yml via workflow_dispatch. GITHUB_TOKEN
+            # may trigger workflow_dispatch (unlike push, which is blocked to
+            # avoid recursion) — but ONLY with `actions: write` in this job's
+            # `permissions:` (see the note there); with `actions: read` the
+            # dispatch 403s silently. The review workflow's own `concurrency`
+            # group then cancels any in-flight review for this PR so the
+            # freshest diff wins.
             gh workflow run claude-code-review.yml -f pr_number="$PR_NUMBER" || \
               echo "::warning::Could not dispatch claude-code-review.yml; review will not auto-run."
           else