d-morrison · d-morrison · Jun 17, 2026 · Jun 17, 2026
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
@@ -57,7 +57,17 @@ jobs:
       pull-requests: write
       issues: write
       id-token: write
-      actions: read # Required for Claude to read CI results on PRs
+      # `write` (not `read`) is required: besides letting Claude read CI
+      # results on PRs, the post-Claude steps below call `gh workflow run
+      # claude-code-review.yml` (the workflow_dispatch REST endpoint
+      # `POST /actions/workflows/{id}/dispatches`), which GITHUB_TOKEN can
+      # only reach with `actions: write`. With `actions: read` every
+      # dispatch 403s ("Resource not accessible by integration") and is
+      # swallowed by the `|| echo "::warning::"` fallback, so the
+      # code-review never auto-runs (observed on PR #900, run
+      # 27598978484: the @claude-review dispatch 403'd silently). `write`
+      # is a superset of `read`, so CI reads still work.
+      actions: write
     # Expose the ucdavis/epi202 and ucdavis/epi204 fine-grained PATs to
     # every step in this job, including the Claude action's subprocess.
     # See .github/copilot-instructions.md ("Accessing the private
@@ -847,11 +857,13 @@ jobs:
             gh api -X POST \
               "repos/${{ github.repository }}/pulls/$PR_NUMBER/requested_reviewers" \
               -f "reviewers[]=d-morrison" || true
-            # Fire claude-code-review.yml via workflow_dispatch. The default
-            # GITHUB_TOKEN is permitted to trigger workflow_dispatch (unlike
-            # push, which is blocked to avoid recursion), and the review
-            # workflow's own `concurrency` group will cancel any in-flight
-            # review for this PR so the freshest diff wins.
+            # Fire claude-code-review.yml via workflow_dispatch. GITHUB_TOKEN
+            # may trigger workflow_dispatch (unlike push, which is blocked to
+            # avoid recursion) — but ONLY with `actions: write` in this job's
+            # `permissions:` (see the note there); with `actions: read` the
+            # dispatch 403s silently. The review workflow's own `concurrency`
+            # group then cancels any in-flight review for this PR so the
+            # freshest diff wins.
             gh workflow run claude-code-review.yml -f pr_number="$PR_NUMBER" || \
               echo "::warning::Could not dispatch claude-code-review.yml; review will not auto-run."
           else