[Bug] Claude Code GitHub Action setup missing required `id-token: [REDACTED] permission
Bug Description
Bug Report: Claude Code GitHub Action Setup Instructions Are Incomplete — Missing Required Permission
From: Jordan Dea-Mattson
GitHub: @jordan-of (OrdinaryFolk), @jordandm (personal)
Email: jordan-of@users.noreply.github.com
Related: #33059 (Improve product knowledge accuracy), our earlier feedback today on agents unable to advise on Claude Code features (Examples 1 & 2: /remote-control ignorance and UI fabrication)
Problem
When asked to set up the Claude Code GitHub Action (anthropics/claude-code-action@v1), the agent produced a workflow configuration that was missing a required permission: id-token: [REDACTED] The
action failed on first trigger with:
Failed to get OIDC token
Error message: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable
Attempt 1 failed: Could not fetch an OIDC token. Did you remember to add `id-token: [REDACTED] to your workflow permissions?
The error message from the action itself tells you exactly what's missing — which means the agent should have known this in the first place.
The Cost
Yet again, I end up Himalayan Wandering (the learning equivalent of Yak Shaving) for something that should have been a copy-paste from correct documentation: user asks their agent to set it up →
agent provides a confident, detailed, wrong configuration → user commits it, pushes it to origin/master, triggers it on a real PR → it fails → user has to debug GitHub Actions logs, identify the
missing permission, fix it, cherry-pick the fix, push again.
Total time from "set up the GitHub Action" to "it actually works": over an hour. Should have been 5 minutes.
What Went Wrong
- The agent's research subagent provided a workflow YAML with contents: write, pull-requests: write, and issues: write — but omitted id-token: [REDACTED]
- The agent presented this configuration with full confidence — no caveats, no "you should verify this against the docs"
- The configuration was committed, pushed to origin/master, and tested on a real PR before the error was discovered
- The error was only caught because the action's own error message told us exactly what was missing
This is the third example in an ongoing pattern we've reported today:
- Example 1: Agent didn't know /remote-control exists (a built-in slash command)
- Example 2: Research agent fabricated remote control UI details (green dot that doesn't exist)
- Example 3 (this): Agent provided an incomplete GitHub Action configuration missing a required permission
All three share the same root cause: the agent doesn't have accurate knowledge of Claude Code's own features, configurations, and requirements.
Expected Behavior
When asked to configure a Claude Code integration, the agent should either:
- Produce a complete, correct configuration by reading the action's actual documentation
- Or clearly state "I'm not certain about the exact permissions required — check the README at github.com/anthropics/claude-code-action"
Confidently providing a broken configuration is worse than saying "I don't know."
Environment Info
- Platform: darwin
- Terminal: iTerm.app
- Version: 2.1.81
- Feedback ID: 2f7c5e01-400e-4640-b59a-9ec31067abac
Errors
[{"error":"Error: NON-FATAL: Lock acquisition failed for /Users/jordan_of/.local/share/claude/versions/2.1.81 (expected in multi-process scenarios)\n at TET (/$bunfs/root/src/entrypoints/cli.js:2724:2174)\n at fgq (/$bunfs/root/src/entrypoints/cli.js:2724:1318)\n at processTicksAndRejections (native:7:39)","timestamp":"2026-03-21T14:41:04.884Z"},{"error":"Error: No content found in user prompt message\n at jp7 (/$bunfs/root/src/entrypoints/cli.js:2751:56)\n at SA (/$bunfs/root/src/entrypoints/cli.js:675:21000)\n at BH (/$bunfs/root/src/entrypoints/cli.js:675:39546)\n at G8 (/$bunfs/root/src/entrypoints/cli.js:675:50237)\n at Ce_ (/$bunfs/root/src/entrypoints/cli.js:675:86958)\n at P3_ (/$bunfs/root/src/entrypoints/cli.js:675:85915)\n at Py_ (/$bunfs/root/src/entrypoints/cli.js:675:85736)\n at jy_ (/$bunfs/root/src/entrypoints/cli.js:675:82094)\n at TT (/$bunfs/root/src/entrypoints/cli.js:675:6493)\n at h_ (/$bunfs/root/src/entrypoints/cli.js:675:4975)","timestamp":"2026-03-22T11:03:36.321Z"},{"error":"Error: No content found in user prompt message\n at jp7 (/$bunfs/root/src/entrypoints/cli.js:2751:56)\n at SA (/$bunfs/root/src/entrypoints/cli.js:675:21000)\n at BH (/$bunfs/root/src/entrypoints/cli.js:675:39546)\n at G8 (/$bunfs/root/src/entrypoints/cli.js:675:50237)\n at Ce_ (/$bunfs/root/src/entrypoints/cli.js:675:86958)\n at P3_ (/$bunfs/root/src/entrypoints/cli.js:675:85915)\n at Py_ (/$bunfs/root/src/entrypoints/cli.js:675:85736)\n at jy_ (/$bunfs/root/src/entrypoints/cli.js…
Note: Content was truncated.
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗