Skip to content

ci: fix claude action severity labeling#10548

Closed
Roasbeef wants to merge 1 commit intolightningnetwork:masterfrom
Roasbeef:fix-claude-again
Closed

ci: fix claude action severity labeling#10548
Roasbeef wants to merge 1 commit intolightningnetwork:masterfrom
Roasbeef:fix-claude-again

Conversation

@Roasbeef
Copy link
Member

@Roasbeef Roasbeef commented Feb 3, 2026

The Claude Code GitHub Action was failing to add severity labels to PRs. The root cause was a permission denial at two levels: Claude was using gh api to hit the issues labels endpoint, but the action's default allowed tools only permit gh pr view, gh pr edit, and gh pr comment. So the tool call was rejected before it ever reached GitHub.

Even if the tool call had gone through, it would have failed anyway. The workflow's GitHub token permissions were set to read-only for both issues and pull-requests, meaning any write operation against the labels API would return a 403.

This change bumps the issues and pull-requests permissions to write so the token can actually modify labels. It also adds a prompt instruction telling Claude to use gh pr edit --add-label for labeling instead of gh api, which keeps the allowed tools as restricted as possible without needing to open up arbitrary API access.

The failed run that surfaced this: https://github.com/lightningnetwork/lnd/actions/runs/21614145381/job/62289184152. You can see in the output that the gh api call shows up in the permission_denials array, confirming the tool was blocked by Claude Code's own sandboxing before the GitHub API was ever contacted.

@Roasbeef
ci: fix claude action severity labeling permission denial
7747ba4 
The claude-code-action's default allowed tools only include gh pr
view/edit/comment, but Claude was choosing gh api to add labels, which
gets denied. Additionally, the GitHub token permissions were read-only
for issues and pull-requests, so even if the tool call succeeded the
API request would fail with a 403.

Grant write permissions for issues and pull-requests, and add a prompt
instruction that tells Claude to use gh pr edit --add-label instead of
gh api for label operations.
@gemini-code-assist
Copy link

gemini-code-assist bot commented Feb 3, 2026

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

@Roasbeef
Copy link
Member Author

Roasbeef commented Feb 3, 2026

Closing - the pr-severity.yml workflow already handles this correctly. The permission denial was benign (Claude retried with the allowed tool).

@Roasbeef Roasbeef closed this Feb 3, 2026
@lightninglabs-deploy
Copy link
Collaborator

lightninglabs-deploy commented Feb 3, 2026

🟢 PR Severity: LOW

CI/CD config change | 1 file | 13 lines changed

🟢 Low (1 file)
  • .github/workflows/claude.yml - CI/CD workflow configuration update

Analysis

This PR modifies only the Claude GitHub Actions workflow configuration (.github/workflows/claude.yml). Changes to CI/CD configuration files fall under the LOW severity category as they:

  • Do not affect runtime code or protocol behavior
  • Are limited to GitHub Actions automation
  • Can be reviewed and validated through CI test runs
  • Have minimal risk to production systems

The change appears to fix the severity labeling logic in the Claude action itself, which is a meta-improvement to the CI process.

To override, add a severity-override-{critical,high,medium,low} label.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Roasbeef @lightninglabs-deploy