From 5f8e59b3df9ec2d5a1fdfb90af1dd7b8bf56c51c Mon Sep 17 00:00:00 2001
From: Thomas Carmet <8408330+tcarmet@users.noreply.github.com>
Date: Mon, 23 Mar 2026 10:06:08 -0700
Subject: [PATCH 1/4] Try as claude code app to approve

---
 .github/workflows/claude-code-dependency-review.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/claude-code-dependency-review.yml b/.github/workflows/claude-code-dependency-review.yml
index 9bed797..84b51d6 100644
--- a/.github/workflows/claude-code-dependency-review.yml
+++ b/.github/workflows/claude-code-dependency-review.yml
@@ -27,7 +27,7 @@ jobs:
       contents: read
       pull-requests: write
       id-token: write
-      checks: read
+      actions: read
 
     steps:
       - uses: actions/checkout@v6
@@ -72,11 +72,14 @@ jobs:
         continue-on-error: true
         uses: anthropics/claude-code-action@v1
         with:
-          github_token: ${{ github.token }}
           use_vertex: "true"
           allowed_bots: "dependabot[bot]"
           plugin_marketplaces: https://github.com/scality/agent-hub.git
           plugins: scality-skills@scality-agent-hub
+          additional_permissions: |
+            contents: read
+            actions: read
+            pull-requests: write
           prompt: "/review-dependency-bump REPO: ${{ github.repository }} PR_NUMBER: ${{ github.event.pull_request.number }}"
           claude_args: |
             --allowedTools "Read" "Grep" "WebFetch" "Bash(gh repo view *)" "Bash(gh pr view *)" "Bash(gh pr comment *)" "Bash(gh pr review *)" "Bash(gh api *)"

From 12c7ab9b5107c9ed9dae51d356efb0b9a1873855 Mon Sep 17 00:00:00 2001
From: Thomas Carmet <8408330+tcarmet@users.noreply.github.com>
Date: Mon, 23 Mar 2026 10:44:52 -0700
Subject: [PATCH 2/4] try with only additional

---
 .github/workflows/claude-code-dependency-review.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/claude-code-dependency-review.yml b/.github/workflows/claude-code-dependency-review.yml
index 84b51d6..3ee0ec9 100644
--- a/.github/workflows/claude-code-dependency-review.yml
+++ b/.github/workflows/claude-code-dependency-review.yml
@@ -77,7 +77,6 @@ jobs:
           plugin_marketplaces: https://github.com/scality/agent-hub.git
           plugins: scality-skills@scality-agent-hub
           additional_permissions: |
-            contents: read
             actions: read
             pull-requests: write
           prompt: "/review-dependency-bump REPO: ${{ github.repository }} PR_NUMBER: ${{ github.event.pull_request.number }}"

From 4c18085641ad39ecf2466373a5e6f61591199361 Mon Sep 17 00:00:00 2001
From: Thomas Carmet <8408330+tcarmet@users.noreply.github.com>
Date: Mon, 23 Mar 2026 10:47:32 -0700
Subject: [PATCH 3/4] add anthropic key

---
 .github/workflows/claude-code-dependency-review.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/claude-code-dependency-review.yml b/.github/workflows/claude-code-dependency-review.yml
index 3ee0ec9..daf7db2 100644
--- a/.github/workflows/claude-code-dependency-review.yml
+++ b/.github/workflows/claude-code-dependency-review.yml
@@ -73,6 +73,7 @@ jobs:
         uses: anthropics/claude-code-action@v1
         with:
           use_vertex: "true"
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
           allowed_bots: "dependabot[bot]"
           plugin_marketplaces: https://github.com/scality/agent-hub.git
           plugins: scality-skills@scality-agent-hub

From ed2f2b9e676863ef6c74f4b60c0b44e47b469bf1 Mon Sep 17 00:00:00 2001
From: Thomas Carmet <8408330+tcarmet@users.noreply.github.com>
Date: Mon, 23 Mar 2026 10:52:05 -0700
Subject: [PATCH 4/4] try without extra permissions

---
 .github/workflows/claude-code-dependency-review.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/claude-code-dependency-review.yml b/.github/workflows/claude-code-dependency-review.yml
index daf7db2..b7e6968 100644
--- a/.github/workflows/claude-code-dependency-review.yml
+++ b/.github/workflows/claude-code-dependency-review.yml
@@ -77,9 +77,9 @@ jobs:
           allowed_bots: "dependabot[bot]"
           plugin_marketplaces: https://github.com/scality/agent-hub.git
           plugins: scality-skills@scality-agent-hub
-          additional_permissions: |
-            actions: read
-            pull-requests: write
+          # additional_permissions: |
+          #   actions: read
+          #   pull-requests: write
           prompt: "/review-dependency-bump REPO: ${{ github.repository }} PR_NUMBER: ${{ github.event.pull_request.number }}"
           claude_args: |
             --allowedTools "Read" "Grep" "WebFetch" "Bash(gh repo view *)" "Bash(gh pr view *)" "Bash(gh pr comment *)" "Bash(gh pr review *)" "Bash(gh api *)"