From 0ef730f6a54c3b873b2461e2e14a4f11deb34975 Mon Sep 17 00:00:00 2001
From: Charly Gomez <charly.gomez@sentry.io>
Date: Mon, 9 Mar 2026 10:04:04 +0100
Subject: [PATCH] fix(ci): Allow triage action to run on issues from external
 users

The claude-code-action OIDC token exchange verifies that the
triggering GitHub actor has write access to the repository. When an
external user opens an issue, they are the actor and don't have write
access, causing the action to fail with a 401 error.

Pass an explicit github_token and set allowed_non_write_users to '*'
so the action skips the write-access check. This is safe because the
workflow's GITHUB_TOKEN only has read permissions, and the existing
prompt injection detection script guards against malicious issue
content before any triage logic (including Linear writes) executes.

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .github/workflows/triage-issue.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/triage-issue.yml b/.github/workflows/triage-issue.yml
index b1af7c47bdd2..9e5467329b62 100644
--- a/.github/workflows/triage-issue.yml
+++ b/.github/workflows/triage-issue.yml
@@ -57,6 +57,8 @@ jobs:
         uses: anthropics/claude-code-action@v1
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          allowed_non_write_users: '*'
           settings: |
             {
               "env": {