Describe the bug
Claude Code action fails with authentication/permissions errors when triggered by scheduled cron jobs, but works perfectly when triggered manually. The workflow fails during OIDC token exchange with "User does not have write access on this repository" error.
To Reproduce
Steps to reproduce the behavior:
- Set up a scheduled GitHub Actions workflow using Claude Code action
- Configure the workflow to run on a cron schedule (e.g.,
cron: '0 1 * * *')
- Wait for the scheduled workflow to run automatically
- Observe authentication failure during token exchange:
OIDC token successfully obtained
Exchanging OIDC token for app token...
Attempt 1 of 3...
App token exchange failed: 401 Unauthorized - User does not have write access on this repository
Attempt 1 failed: User does not have write access on this repository
[... retries fail ...]
Operation failed after 3 attempts
Error: Failed to setup GitHub token: Error: User does not have write access on this repository
- Trigger the same workflow manually using
workflow_dispatch
- Observe that the workflow completes successfully
Expected behavior
- Scheduled workflows should have the same permissions as manually triggered workflows
- OIDC token exchange should succeed for cron-triggered workflows
- Claude Code action should be able to obtain necessary permissions for repository operations
- The workflow should execute successfully regardless of trigger type
Screenshots
Failed run (cron-triggered): https://github.com/TransferGo/ai-chat-service/actions/runs/20941316114/job/60175264787
Error output:
OIDC token successfully obtained
Exchanging OIDC token for app token...
Attempt 1 of 3...
Retrying in 5 seconds...
App token exchange failed: 401 Unauthorized - User does not have write access on this repository
Attempt 1 failed: User does not have write access on this repository
Attempt 2 of 3...
App token exchange failed: 401 Unauthorized - User does not have write access on this repository
Attempt 2 failed: User does not have write access on this repository
Retrying in 10 seconds...
Attempt 3 of 3...
App token exchange failed: 401 Unauthorized - User does not have write access on this repository
Attempt 3 failed: User does not have write access on this repository
Operation failed after 3 attempts
Error: Failed to setup GitHub token: Error: User does not have write access on this repository
Run curl -L \
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 112 0 112 0 0 2884 0 --:--:-- --:--:-- --:--:-- 2947
{
"message": "Bad credentials",
"documentation_url": "https://docs.github.com/rest",
"status": "401"
}
Workflow yml file
Scheduled workflow (.github/workflows/auto-security-updates.yml):
name: Nightly Security Updates
on:
schedule:
- cron: '0 1 * * *' # Every day at 1am
workflow_dispatch:
permissions:
contents: write
pull-requests: write
issues: write
id-token: write
jobs:
security:
uses: ./.github/workflows/reusable-claude-dotnet-setup.yml
with:
prompt: "Follow @docs/ai/commands/update-packages.md to fix security vulnerabilities"
max_turns: '100'
secrets: inheritReusable workflow (.github/workflows/reusable-claude-dotnet-setup.yml - simplified):
name: Reusable Claude .NET Setup
on:
workflow_call:
inputs:
max_turns:
required: false
type: string
default: '100'
model:
required: false
type: string
default: 'claude-opus-4-5-20251101'
permissions:
contents: write
pull-requests: write
issues: write
id-token: write
jobs:
update:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6.0.1
# ... setup steps (dotnet, node, dependencies, infrastructure, MCP server) ...
- name: Run Claude Code
id: claude
uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt: |
You are running as Cloud AI inside a GitHub Actions workflow.
${{ inputs.prompt }}
claude_args: |
--max-turns ${{ inputs.max_turns }}
--model ${{ inputs.model }}
--mcp-config '{"mcpServers":{"dotnet-knowledge-base":{"type":"sse","url":"http://localhost:7929/mcp"},"context7":{"type":"sse","url":"https://mcp.context7.com/mcp","headers":{}}}}'
--allowedTools "Edit,Write,Read,Glob,Grep,WebSearch,Bash(dotnet:*),mcp__dotnet-knowledge-base__*,mcp__context7__*"
--strict-mcp-config
show_full_output: trueAPI Provider
[x] Anthropic First-Party API (default)
[ ] AWS Bedrock
[ ] GCP Vertex
Describe the bug
Claude Code action fails with authentication/permissions errors when triggered by scheduled cron jobs, but works perfectly when triggered manually. The workflow fails during OIDC token exchange with "User does not have write access on this repository" error.
To Reproduce
Steps to reproduce the behavior:
cron: '0 1 * * *')workflow_dispatchExpected behavior
Screenshots
Failed run (cron-triggered): https://github.com/TransferGo/ai-chat-service/actions/runs/20941316114/job/60175264787
Error output:
Workflow yml file
Scheduled workflow (
.github/workflows/auto-security-updates.yml):Reusable workflow (
.github/workflows/reusable-claude-dotnet-setup.yml- simplified):API Provider
[x] Anthropic First-Party API (default)
[ ] AWS Bedrock
[ ] GCP Vertex