summaryrefslogtreecommitdiff
path: root/.github/workflows
diff options
context:
space:
mode:
authorYuriy Andamasov <yuriy@vyos.io>2026-05-11 11:13:24 +0300
committerYuriy Andamasov <yuriy@vyos.io>2026-05-11 11:13:24 +0300
commitc4aaf3269c21f478a556d397599651dd099ad6db (patch)
tree8e78f65189f502b8f77a807d4277ddfe0a0d28a0 /.github/workflows
parentc6f085d52fd44122e1f412b6d75ba9ad62a38dc9 (diff)
downloadvyos-documentation-c4aaf3269c21f478a556d397599651dd099ad6db.tar.gz
vyos-documentation-c4aaf3269c21f478a556d397599651dd099ad6db.zip
ci(ai-validation): restore id-token: write (claude-code-action@v1 uses OIDC)
Revert of the id-token drop from #1969. Smoke verify on PR #1977 (empty-commit retrigger run 25658256103) failed at the Pass 2 step: Action failed with error: Could not fetch an OIDC token. Did you remember to add `id-token: write` to your workflow permissions? The earlier Copilot finding that motivated dropping the permission ("no step uses OIDC") was incomplete. No shell step in the workflow invokes OIDC directly, but anthropics/claude-code-action@v1 itself calls actions/core's `getIDToken()` internally — likely for the Claude/Anthropic auth federation path. The required scope is the third-party action's, not the workflow body's. Adding id-token: write back with an inline comment block citing the specific failure mode + the run ID where it was reproduced so this isn't re-dropped on a future review pass. Mirrored byte-identically across rolling/circinus/sagitta + canonical.
Diffstat (limited to '.github/workflows')
-rw-r--r--.github/workflows/ai-validation.yml11
1 files changed, 11 insertions, 0 deletions
diff --git a/.github/workflows/ai-validation.yml b/.github/workflows/ai-validation.yml
index b21d2320..600e4e8b 100644
--- a/.github/workflows/ai-validation.yml
+++ b/.github/workflows/ai-validation.yml
@@ -204,6 +204,17 @@ jobs:
# permissions split issue and PR scopes.
pull-requests: write
issues: write
+ # id-token: write is required by anthropics/claude-code-action@v1.
+ # The action calls actions/core's getIDToken() internally to mint
+ # an OIDC token used for the Claude/Anthropic auth federation
+ # path; without this scope it fails with
+ # `Could not fetch an OIDC token. Did you remember to add
+ # id-token: write to your workflow permissions?`
+ # An earlier Copilot finding suggested dropping this permission as
+ # "unused" — that was wrong: no shell step in this workflow
+ # invokes OIDC directly, but the third-party action does. Verified
+ # by run 25658256103 on PR #1977.
+ id-token: write
steps:
# Pass secrets via env: rather than inlining ${{ secrets.X }} into the
# shell script. GitHub Actions template-expands ${{ ... }} BEFORE bash