From 4d734958aedba6127a15a929e6fa5b8f9ad91706 Mon Sep 17 00:00:00 2001
From: Ian Clarke <sanity@users.noreply.github.com>
Date: Sat, 1 Nov 2025 22:30:14 +0100
Subject: [PATCH] ci: expand Claude GitHub Action permissions for git
 operations
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Upgrade Claude's workflow permissions from read-only to write access:
- contents: write - enables git rebase, push, and branch management
- pull-requests: write - allows PR updates, reviews, and merging
- issues: write - enables commenting and label management
- checks: read - allows reading CI check results

Also update checkout to fetch full git history (fetch-depth: 0)
required for rebase operations.

This allows Claude to perform common development tasks like rebasing
PRs, pushing commits, and managing PR/issue metadata directly from
the GitHub Action workflow.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .github/workflows/claude.yml | 28 +++++++++++++++++++++-------
 1 file changed, 21 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
index 2c14d1b73..3ca9970c9 100644
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -19,16 +19,18 @@ jobs:
       (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
     runs-on: ubuntu-latest
     permissions:
-      contents: read
-      pull-requests: read
-      issues: read
-      id-token: write
-      actions: read # Required for Claude to read CI results on PRs
+      contents: write       # Allows pushing commits, rebasing, creating branches
+      pull-requests: write  # Allows updating PRs, requesting reviews, merging
+      issues: write         # Allows commenting on issues, updating labels
+      id-token: write       # Required for GitHub App authentication
+      actions: read         # Required for Claude to read CI results on PRs
+      checks: read          # Allows reading check run status
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
         with:
-          fetch-depth: 1
+          fetch-depth: 0  # Full history needed for git operations like rebase
+          token: ${{ secrets.GITHUB_TOKEN }}  # Use workflow token for git operations
 
       - name: Run Claude Code
         id: claude
@@ -46,5 +48,17 @@ jobs:
           # Optional: Add claude_args to customize behavior and configuration
           # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
           # or https://docs.claude.com/en/docs/claude-code/sdk#command-line for available options
-          # claude_args: '--model claude-opus-4-1-20250805 --allowed-tools Bash(gh pr:*)'
+          #
+          # Examples:
+          # Use Opus for complex tasks:
+          #   claude_args: '--model claude-opus-4-1-20250805'
+          #
+          # Allow specific git/gh operations:
+          #   claude_args: '--allowed-tools Bash(git rebase:*) Bash(git push:*) Bash(gh pr:*)'
+          #
+          # Note: With the permissions above, Claude can now:
+          #   - Rebase branches (git rebase)
+          #   - Push commits (git push, git push --force-with-lease)
+          #   - Update PRs (gh pr edit, gh pr review, gh pr merge)
+          #   - Comment on issues and PRs (gh issue comment, gh pr comment)