From 9e15270b237184c72ea537e857903e79e344cdbf Mon Sep 17 00:00:00 2001
From: Brian Love <brian@liveloveapp.com>
Date: Thu, 18 Jun 2026 19:44:05 -0700
Subject: [PATCH] fix(ci): add id-token: write so claude-review can mint its
 GitHub token

claude-code-action@v1 fetches an OIDC token to mint its GitHub token for
posting review comments; without id-token: write it failed with
'Could not fetch an OIDC token'. Surfaced by the first live PR (#699):
auto-approve worked, but the genuine review never posted.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/claude-review.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/claude-review.yml b/.github/workflows/claude-review.yml
index 295ed579..4f7de729 100644
--- a/.github/workflows/claude-review.yml
+++ b/.github/workflows/claude-review.yml
@@ -19,6 +19,7 @@ jobs:
     permissions:
       contents: read
       pull-requests: write
+      id-token: write # claude-code-action mints its GitHub token via OIDC
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2