Claude Code Action incompatible with Dependabot PRs - actor permission check fails

[cansin]

Describe the bug
Claude Code Action fails on Dependabot PRs because it checks actor permissions instead of token permissions.

To Reproduce

1. Configure Claude Code Action on a repository with Dependabot
2. Provide a valid github_token with write permissions (PAT or GitHub App token)
3. When Dependabot creates a PR, the action fails with:

Using provided GITHUB_TOKEN for authentication
Checking permissions for actor: dependabot[bot]
Permission level retrieved: none
Error: Actor does not have write permissions to the repository

Expected behavior
The action should use the provided token's permissions, not check if dependabot[bot] is a collaborator.

Screenshots
N/A - Error logs provided in reproduction steps.

Workflow yml file

name: Claude Code Review
on:
    pull_request:
        types: [opened, synchronize]
jobs:
    claude-review:
        runs-on: ubuntu-latest
        steps:
            - uses: actions/checkout@v4

            - name: Generate GitHub App token
              id: app-token
              uses: actions/create-github-app-token@v1
              with:
                  app-id: ${{ secrets.CLAUDE_GITHUB_APP_ID }}
                  private-key: ${{ secrets.CLAUDE_GITHUB_PRIVATE_KEY }}

            - uses: anthropics/claude-code-action@beta
              with:
                  claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
                  github_token: ${{ steps.app-token.outputs.token }}

API Provider

• Anthropic First-Party API (default)
• AWS Bedrock
• GCP Vertex

Additional context

Code analysis shows the issue in src/entrypoints/prepare.ts:

// Step 3: Check write permissions (only for entity contexts)
if (isEntityContext(context)) {
    const hasWritePermissions = await checkWritePermissions(octokit.rest, context);
    if (!hasWritePermissions) {
        throw new Error('Actor does not have write permissions to the repository');
    }
}

The checkWritePermissions() function in src/github/validation/permissions.ts uses:

const response = await octokit.repos.getCollaboratorPermissionLevel({
    owner: repository.owner,
    repo: repository.repo,
    username: actor,
});

This checks if the actor (dependabot[bot]) is a collaborator, which it never is. The action validates actor collaborator status instead of the provided token's permissions.

Suggested fix: When github_token is explicitly provided, skip the actor permission check or validate the token's actual permissions instead.

[cansin]

A fix for this issue is now available in PR #388. The solution adds a trusted_bots parameter that allows Dependabot and other automation bots to trigger Claude Code Action when using external tokens.

Once merged, you'll be able to configure it like this:

- uses: anthropics/claude-code-action@beta
  with:
    github_token: ${{ steps.app-token.outputs.token }}
    trusted_bots: |
      dependabot[bot]

[cansin]

🎬 Live Demonstration Available

I've created a demonstration repository that shows this issue in action and validates the proposed fix:

Demo Repository: https://github.com/yellow-pine/claude-action-dependabot-repro

Demo PRs:

• 🔴 PR #3 - Dependabot PR showing how the fix would allow Claude Code Review to work
• ✅ PR #2 - User PR showing the fix doesn't break normal functionality

What the demos show:

1. Current behavior: Without the fix, Dependabot PRs fail with "Actor does not have write permissions to the repository"
2. With the fix: Using trusted_bots: dependabot[bot] parameter allows Dependabot PRs to work correctly
3. Backwards compatibility: Regular user PRs continue to work as expected

The demo uses a fork with the proposed fix from PR #388 to validate the solution works as intended.