code-review plugin silently fails to post PR comments when project settings restrict tool permissions

Resolved 💬 3 comments Opened Mar 9, 2026 by apunuj Closed Mar 13, 2026

Summary

The code-review@claude-code-plugins plugin runs successfully as a GitHub Actions check but does not post any PR review comments when the project's .claude/settings.json restricts tool permissions. There is no error or warning — the workflow completes with a green check, making it impossible to tell that the review output was lost.

Steps to Reproduce

  1. Set up claude-code-review.yml workflow with the code-review plugin as documented:

```yaml

  • uses: anthropics/claude-code-action@v1

with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
plugins: 'code-review@claude-code-plugins'
prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'
```

  1. Have a .claude/settings.json with a restrictive permissions.allow list (e.g., only Edit and Write on specific paths — no Bash, Read, Grep, or Glob):

``json
{
"permissions": {
"allow": [
"Edit(src/**)",
"Write(src/**)"
]
}
}
``

  1. Open a PR. The code review workflow runs, completes successfully, but posts zero comments.

Expected Behavior

Either:

  • The plugin documents its required tool permissions so users know what to add
  • The plugin declares/requests the permissions it needs automatically
  • The workflow surfaces a clear error when the plugin cannot post comments due to permission denials (e.g., a warning comment on the PR, or a failed check with a descriptive message)

Actual Behavior

  • Workflow completes with status success
  • No PR comments are posted
  • The only clue is "permission_denials_count": 17 in the workflow logs (from the JSON result output), which is easy to miss:

``json
{
"type": "result",
"subtype": "success",
"is_error": false,
"duration_ms": 580811,
"num_turns": 19,
"total_cost_usd": 2.08,
"permission_denials_count": 17
}
``

Workaround

Add a settings input to the workflow to grant the tools the plugin needs:

settings: |
  {
    "permissions": {
      "allow": [
        "Bash(gh:*)",
        "Bash(git diff:*)",
        "Bash(git log:*)",
        "Bash(git show:*)",
        "Read",
        "Glob",
        "Grep"
      ]
    }
  }

Impact

  • ~$2 per review run with no visible output
  • Users have no way to know something is wrong without digging into raw workflow logs
  • The @claude mention workflow (which posts comments via the action's own code, not through Claude's tools) works fine with the same project settings, making the discrepancy confusing

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗