Claude Code Action incompatible with Dependabot PRs - actor permission check fails (original) (raw)

Describe the bug
Claude Code Action fails on Dependabot PRs because it checks actor permissions instead of token permissions.

To Reproduce

1. Configure Claude Code Action on a repository with Dependabot
2. Provide a valid github_token with write permissions (PAT or GitHub App token)
3. When Dependabot creates a PR, the action fails with:

Using provided GITHUB_TOKEN for authentication
Checking permissions for actor: dependabot[bot]
Permission level retrieved: none
Error: Actor does not have write permissions to the repository

Expected behavior
The action should use the provided token's permissions, not check if dependabot[bot] is a collaborator.

Screenshots
N/A - Error logs provided in reproduction steps.

Workflow yml file

name: Claude Code Review on: pull_request: types: [opened, synchronize] jobs: claude-review: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4

        - name: Generate GitHub App token
          id: app-token
          uses: actions/create-github-app-token@v1
          with:
              app-id: ${{ secrets.CLAUDE_GITHUB_APP_ID }}
              private-key: ${{ secrets.CLAUDE_GITHUB_PRIVATE_KEY }}

        - uses: anthropics/claude-code-action@beta
          with:
              claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
              github_token: ${{ steps.app-token.outputs.token }}

API Provider

• Anthropic First-Party API (default)
• AWS Bedrock
• GCP Vertex

Additional context

Code analysis shows the issue in src/entrypoints/prepare.ts:

// Step 3: Check write permissions (only for entity contexts) if (isEntityContext(context)) { const hasWritePermissions = await checkWritePermissions(octokit.rest, context); if (!hasWritePermissions) { throw new Error('Actor does not have write permissions to the repository'); } }

The checkWritePermissions() function in src/github/validation/permissions.ts uses:

const response = await octokit.repos.getCollaboratorPermissionLevel({ owner: repository.owner, repo: repository.repo, username: actor, });

This checks if the actor (dependabot[bot]) is a collaborator, which it never is. The action validates actor collaborator status instead of the provided token's permissions.

Suggested fix: When github_token is explicitly provided, skip the actor permission check or validate the token's actual permissions instead.