From f57deff0925a699f461c797f0100c1f469cc35c8 Mon Sep 17 00:00:00 2001 From: Christopher Jon Pitzi Date: Sat, 25 Apr 2026 01:34:44 -0400 Subject: [PATCH] Grant required permissions on reusable workflow callers The shared `claude-responder` and `claude-review` reusable workflows declare job-level permissions (contents: write, etc.) but reusable workflows can only inherit caller permissions, never elevate. Without explicit `permissions:` on the calling jobs, GitHub Actions rejects the workflow with "is requesting X but is only allowed Y" startup errors and refuses to start any job. Add the required permissions blocks to the responder and review caller jobs to match what the reusable workflows declare. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/claude-code-review.yml | 5 +++++ .github/workflows/claude.yml | 6 ++++++ 2 files changed, 11 insertions(+) diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml index 9b97bb7..0d1c418 100644 --- a/.github/workflows/claude-code-review.yml +++ b/.github/workflows/claude-code-review.yml @@ -18,6 +18,11 @@ on: jobs: claude-review: + permissions: + contents: read + pull-requests: write + issues: write + id-token: write uses: PitziLabs/shared-workflows/.github/workflows/claude-review.yml@main secrets: inherit with: diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml index f7cfac7..3e9524c 100644 --- a/.github/workflows/claude.yml +++ b/.github/workflows/claude.yml @@ -20,6 +20,12 @@ on: jobs: claude: + permissions: + contents: write + pull-requests: write + issues: write + id-token: write + actions: read uses: PitziLabs/shared-workflows/.github/workflows/claude-responder.yml@main secrets: inherit with: