fix: pass GH_PAT_WORKFLOWS to actions/checkout so git push uses workflow-scoped token

[don-petry]

Problem

Claude Code action was unable to push commits touching .github/workflows/* even after GH_PAT_WORKFLOWS was configured as an org-level secret. Every Claude run on a workflow-touching issue ended with:

refusing to allow a GitHub App to create or update workflow <path> without workflows permission

This blocked ~20 of 27 open compliance issues across the org (every Compliance: missing-*.yml and unpinned-actions-*.yml ticket).

Root cause

actions/checkout was running without an explicit token: input, so it stored the default GITHUB_TOKEN in the local .git/config as the credential for subsequent git push commands. The PAT was passed to claude-code-action as github_token, but the action's git push reuses the local git credentials checkout set up — so pushes still went out under the default token, which has the workflow-file write embargo.

Confirmed empirically:

• All "successful" Claude commits (~9 across 5 repos in the last 17h) were authored by github-actions[bot], not the PAT user — proving the PAT was never reaching git push.
• Identical workflow-permission errors persisted after the PAT was rotated to a classic workflow-scoped token.

Fix

Pass GH_PAT_WORKFLOWS to actions/checkout in both jobs (claude and claude-issue), with a fallback to github.token so the workflow keeps working if the secret is ever unset.

Test plan

• After merge, re-toggle the claude label on petry-projects/google-app-scripts#122 (Compliance: missing-agent-shield.yml)
• Verify Claude run completes with a real branch push and PR creation
• Verify commit author on the new branch is the PAT user (not github-actions[bot])
• Once confirmed, re-toggle the remaining ~19 workflow-touching compliance issues across the org

Summary by CodeRabbit

• Chores
  • Enhanced workflow reliability with improved token handling fallback configuration.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a53bc1b5-d530-42cb-8161-dd491bf37377

📥 Commits

Reviewing files that changed from the base of the PR and between 17c1adb and 288824c.

📒 Files selected for processing (1)

• .github/workflows/claude-code-reusable.yml

---

📝 Walkthrough

Walkthrough

Modified the actions/checkout step configuration in a reusable GitHub Actions workflow to explicitly specify a token parameter. The token uses GH_PAT_WORKFLOWS secret when available, falling back to the default github.token if unavailable. No workflow logic or other functionality was altered.

Changes

Cohort / File(s)	Summary
Workflow Configuration .github/workflows/claude-code-reusable.yml	Added explicit token input to actions/checkout steps in both claude and claude-issue jobs, with fallback mechanism to default GitHub token when GH_PAT_WORKFLOWS secret is not available.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• feat: reusable Claude Code workflow with workflows write permission #77: Introduces the GH_PAT_WORKFLOWS secret that this PR now consumes as a fallback token for the checkout action.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: passing GH_PAT_WORKFLOWS to actions/checkout to enable workflow-scoped token usage for git push operations.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/claude-action-checkout-token

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

This PR updates the org’s reusable Claude Code GitHub Actions workflow to ensure git push operations use a workflow-scoped PAT when modifying .github/workflows/*, avoiding the default GITHUB_TOKEN workflow-file write restriction.

Changes:

• Pass GH_PAT_WORKFLOWS (with fallback to github.token) to actions/checkout in both claude and claude-issue jobs.
• Align checkout credentials with the intended token used for subsequent pushes performed by Claude tooling.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

GH_PAT_WORKFLOWS is declared as optional (workflow_call.secrets.*.required: false) and this checkout token: input correctly falls back to github.token, but the subsequent anthropics/claude-code-action step in this job still sets github_token: ${{ secrets.GH_PAT_WORKFLOWS }} without a fallback. If the secret is unset/not inherited, the action will receive an empty token and may fail even though checkout succeeded; consider applying the same || github.token fallback (or omitting github_token when the secret is empty) to keep the workflow functional as described in the PR.