diff options
| author | Yuriy Andamasov <yuriy@vyos.io> | 2026-05-11 11:13:28 +0300 |
|---|---|---|
| committer | Yuriy Andamasov <yuriy@vyos.io> | 2026-05-11 11:13:28 +0300 |
| commit | eff4a2e4698a80f4f1f0f3e8b83996dab1dab63d (patch) | |
| tree | 7b4d1bf4fd7b17abb40bd37e024a642e62acecf4 /docs | |
| parent | 07275e060e2ec2acf2bee3d1e3c2fb4bdd976826 (diff) | |
| download | vyos-documentation-eff4a2e4698a80f4f1f0f3e8b83996dab1dab63d.tar.gz vyos-documentation-eff4a2e4698a80f4f1f0f3e8b83996dab1dab63d.zip | |
ci(ai-validation): restore id-token: write (claude-code-action@v1 uses OIDC)
Revert of the id-token drop from #1969. Smoke verify on PR #1977
(empty-commit retrigger run 25658256103) failed at the Pass 2 step:
Action failed with error: Could not fetch an OIDC token. Did you
remember to add `id-token: write` to your workflow permissions?
The earlier Copilot finding that motivated dropping the permission
("no step uses OIDC") was incomplete. No shell step in the workflow
invokes OIDC directly, but anthropics/claude-code-action@v1 itself
calls actions/core's `getIDToken()` internally — likely for the
Claude/Anthropic auth federation path. The required scope is the
third-party action's, not the workflow body's.
Adding id-token: write back with an inline comment block citing the
specific failure mode + the run ID where it was reproduced so this
isn't re-dropped on a future review pass.
Mirrored byte-identically across rolling/circinus/sagitta + canonical.
Diffstat (limited to 'docs')
0 files changed, 0 insertions, 0 deletions
