Cloud Routines' GitHub integration lacks issues:write permission — gh issue create fails while git push/reads succeed, no way to grant scope

Open 💬 0 comments Opened Jul 6, 2026 by blwfish

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet (closest related issues identified below — none cover this specific gap; see "Why this isn't a duplicate")
  • [x] This is a single bug report
  • [x] I am using the latest version of Claude Code

What's Wrong?

A Cloud Routine (freecad-mcp dependency audit handler, weekly, targeting my own public repo blwfish/freecad-mcp) runs a script that does git push and gh issue create against the repo. Git push/read operations work correctly, but every run's issue-creation step fails with:

GitHub issue creation failed (integration token lacks issues: write permission)

Claude itself detected and reported this failure clearly in the run's own summary — it did not fail silently. But there is no user-facing control to grant the missing permission:

  • github.com/settings/installationsAuthorized OAuth Apps shows "Claude" (by anthropics) authorized, but the page only exposes generic scopes ("Verify your GitHub identity," "Know what resources you can access," "Act on your behalf") — no per-repo or per-resource (Issues/Contents/PRs) permission list, and no toggle.
  • The same page states "Claude has not been installed on any accounts you have access to" — i.e. there is no separate GitHub App installation object for this account to configure, only the OAuth authorization.
  • I confirmed the repo itself is not the problem: has_issues: true, not archived/disabled, and my own authenticated gh session has full admin permission on it.
  • I also ruled out classic personal-access-token scope entirely — I have several PATs with full repo scope, none of which are what the Cloud Routine actually authenticates with (the Routine uses Anthropic's own GitHub integration/token, confirmed by the routine's own error message referring to "integration token," not a user PAT).

So: whatever scope Anthropic's backend requests when provisioning GitHub access for Cloud Routines does not include issues: write, and as the account owner I have no settings surface to add it.

What Should Happen?

Either:

  1. The GitHub integration used by Cloud Routines requests issues: write (or the equivalent fine-grained "Issues: Read and write" permission) as part of its standard permission set, so gh issue create / issue-comment operations succeed the same way git push does, or
  2. If that scope is intentionally withheld for some accounts/repos, surface an actionable path to grant it (e.g. a real GitHub App installation screen, analogous to what's missing per #74542) rather than leaving the account owner with only a generic "Claude has not been installed on any accounts you have access to" OAuth authorization page with no controls.

Why this isn't a duplicate of related issues

I found several open issues in the same problem space (Cloud Routines + GitHub permissions). None describe this specific symptom (repo access otherwise works; only issues: write is missing; no installation object exists at all to configure):

  • #71733 ("Option to log issue in GitHub from Claude Code can fail silently") — that's the CLI's local /feedback flow shelling out to the user's local gh CLI and picking the wrong of several locally-authenticated accounts (e.g. a restricted GitHub Enterprise account). It's a local-auth account-selection bug in the CLI. My case has no local gh CLI involved at all — the Cloud Routine authenticates via Anthropic's own hosted GitHub integration, and the failure is scope-shaped, not account-selection-shaped. Also notably, in my case the failure was not silent — Claude's own run summary reported the exact cause.
  • #73782 and #72933 — both describe a hard 403 "GitHub access is not enabled for this session" from the session's GitHub egress proxy, blocking all api.github.com/repos/<org>/... reads for organization-owned repos, despite the GitHub App being installed. My repo (blwfish/freecad-mcp) is a personal-account repo, not an org repo, and access is not blocked — reads, git push, and (per the routine's own report) everything except issue creation work fine. This is a narrower, resource-specific permission gap (Issues only), not a session-wide access gate.
  • #74542 — describes zero GitHub App installations existing at all (settings/installations → "Installed GitHub Apps" is completely empty, even after disconnect/reconnect), causing the routine to be auto-disabled (auto_disabled_repo_access) before doing any work. In my case the routine runs successfully every week and completes its git operations — there just isn't a write grant for Issues specifically. My "Authorized OAuth Apps" page similarly shows no installation object, but the practical symptom differs: theirs never runs at all; mine runs everything except one specific write operation with the failure explicitly surfaced.
  • #74243 — a generic, undetailed report ("git permission error" caught at run time instead of validation time, no error text, no repro). Doesn't identify which permission or why; may be the same underlying class of issue but has no actionable content to compare against.
  • #62791 (Cloud routines inject attribution into PR/issue comments) — unrelated; about attribution text content, not permissions.

Steps to Reproduce

  1. Create a Cloud Routine (Routines UI, blwfish/freecad-mcp is a public, personal-account repo — no GitHub org involved) whose prompt runs git push (or gh pr create) followed by gh issue create --repo blwfish/freecad-mcp ... for some code path.
  2. Let it run on schedule.
  3. Observe: git operations succeed; gh issue create fails with an integration/token permission error referencing issues: write.
  4. Check github.com/settings/installations: only "Authorized OAuth Apps → Claude" exists, with no per-resource permission list and no "Installed GitHub Apps" entry to configure.

Error Messages/Logs

Note: GitHub issue creation failed (integration token lacks issues: write permission), so no issue was opened automatically — you'll need to create one manually if you want to track this.

Claude Model

None

Is this a regression?

Unknown — I don't have evidence this ever worked for issue creation specifically (git push/PR creation from routines has worked fine).

Platform

Claude Code on the web (Cloud Routines)

Additional Information

Happy to share the specific routine ID / run transcript if useful for repro.

View original on GitHub ↗