fix(ci): Add OIDC permission and unrestrict Bash for CI failure analysis

kgpai · kgpai · commit fd5054597577 · 2026-04-07T14:55:53.000-07:00
- Add `id-token: write` permission required by claude-code-action for
  OIDC authentication (matches working claude.yml configuration).
- Change `Bash(gh:*)` to `Bash` so Claude can use grep/head/tail to
  filter large CI logs during failure analysis. Safe because the
  workflow runs in an ephemeral container with only scoped github.token.
diff --git a/.github/workflows/ci-failure-comment.yml b/.github/workflows/ci-failure-comment.yml
@@ -43,6 +43,7 @@ permissions:
   pull-requests: write
   issues: write
   actions: read
+  id-token: write
 
 jobs:
   analyze-and-comment:
@@ -161,7 +162,7 @@ jobs:
         uses: izaitsevfb/claude-code-action@ececd56fb999d06b4dd2477437bc408938295d76 # forked-pr-fix
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
-          claude_args: --model claude-sonnet-4-6 --allowedTools "Bash(gh:*)" Read Grep Glob
+          claude_args: --model claude-sonnet-4-6 --allowedTools Bash Read Grep Glob
           prompt: ${{ steps.prompt.outputs.value }}
         env:
           GH_TOKEN: ${{ github.token }}
