Skip to content

Grant actions: read so Claude can check CI status#15

Merged
jonathangreen merged 1 commit into
mainfrom
add-actions-read-permission
Jun 11, 2026
Merged

Grant actions: read so Claude can check CI status#15
jonathangreen merged 1 commit into
mainfrom
add-actions-read-permission

Conversation

@jonathangreen

@jonathangreen jonathangreen commented Jun 11, 2026

Copy link
Copy Markdown
Member

Description

Add actions: read to the review job's permissions block in the reusable Claude PR review workflow.

Motivation and Context

When the review runs, claude-code-action logs this warning and disables CI status visibility:

Warning: The github_ci MCP server requires 'actions: read' permission. Skipping CI server installation. To enable CI status checks, add 'actions: read' to your workflow permissions.

The github_ci MCP server lets Claude read the PR's workflow run / check status. Without actions: read it's skipped, so the review can't take CI results into account. Granting the read-only permission enables it.

How Has This Been Tested?

Not yet run in CI. This is a minimal, read-only permission addition; the next review run on a same-repo PR should no longer emit the warning and should have CI status available.

Checklist

  • I have updated the documentation accordingly.
  • All new and existing tests passed.

@jonathangreen
Grant actions: read so Claude can check CI status
3ddb407 
The github_ci MCP server the review uses needs 'actions: read' to read
workflow run status; without it the action logs a warning and skips CI
status checks. Add the permission so Claude can see CI results.
@claude

claude Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown

Claude finished @jonathangreen's task in 2m 48s —— View job

Code Review

  • Gather context (reusable workflow, README, self-caller)
  • Verify actions: read enables the github_ci MCP server
  • Check whether --allowedTools also needs the CI tools
  • Assess permissions impact on consumers

Summary

The one-line addition of actions: read is correct, minimal, and follows least-privilege — it's exactly the read-only scope the github_ci MCP server requires to inspect workflow runs and check status. I also confirmed it's sufficient on its own: the action auto-allows its own MCP server tools, so the mcp__github_ci__* tools become usable without being added to the --allowedTools list. I verified this empirically — this review run uses the local claude-review.yml (via claude-review-self.yml) with this change applied, and the github_ci tools are available to me here despite not appearing in --allowedTools. There's also no new failure mode for consumers: if a caller's token scope doesn't include actions: read (e.g. an explicitly restricted caller), the server is simply skipped as it is today — nothing breaks. No actionable findings.

@jonathangreen jonathangreen merged commit 965b44e into main Jun 11, 2026
4 checks passed
@jonathangreen jonathangreen deleted the add-actions-read-permission branch June 11, 2026 13:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jonathangreen