anthropics · ashwin-ant · Jan 27, 2026 · Jan 27, 2026 · claude · Jan 27, 2026
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -172,14 +172,9 @@ jobs:
 
 **Important Notes**:
 
-- The GitHub token must have the corresponding permission in your workflow
+- The GitHub token must have the `actions: read` permission in your workflow
 - If the permission is missing, Claude will warn you and suggest adding it
-- The following additional permissions can be requested beyond the defaults:
-  - `actions: read`
-  - `checks: read`
-  - `discussions: read` or `discussions: write`
-  - `workflows: read` or `workflows: write`
-- Standard permissions (`contents: write`, `pull_requests: write`, `issues: write`) are always included and do not need to be specified
+- Currently, only `actions: read` is supported, but the format allows for future extensions
 
 ## Custom Environment Variables
 

diff --git a/src/github/token.ts b/src/github/token.ts
@@ -16,60 +16,15 @@ async function getOidcToken(): Promise<string> {
   }
 }
 
-const DEFAULT_PERMISSIONS: Record<string, string> = {
-  contents: "write",
-  pull_requests: "write",
-  issues: "write",
-};
-
-export function parseAdditionalPermissions():
-  | Record<string, string>
-  | undefined {
-  const raw = process.env.ADDITIONAL_PERMISSIONS;
-  if (!raw || !raw.trim()) {
-    return undefined;
-  }
-
-  const additional: Record<string, string> = {};
-  for (const line of raw.split("\n")) {
-    const trimmed = line.trim();
-    if (!trimmed) continue;
-    const colonIndex = trimmed.indexOf(":");
-    if (colonIndex === -1) continue;
-    const key = trimmed.slice(0, colonIndex).trim();
-    const value = trimmed.slice(colonIndex + 1).trim();
-    if (key && value) {
-      additional[key] = value;
-    }
-  }
-
-  if (Object.keys(additional).length === 0) {
-    return undefined;
-  }
-
-  return { ...DEFAULT_PERMISSIONS, ...additional };
-}
-
-async function exchangeForAppToken(
-  oidcToken: string,
-  permissions?: Record<string, string>,
-): Promise<string> {
-  const headers: Record<string, string> = {
-    Authorization: `Bearer ${oidcToken}`,
-  };
-  const fetchOptions: RequestInit = {
-    method: "POST",
-    headers,
-  };
-
-  if (permissions) {
-    headers["Content-Type"] = "application/json";
-    fetchOptions.body = JSON.stringify({ permissions });
-  }
-
+async function exchangeForAppToken(oidcToken: string): Promise<string> {
   const response = await fetch(
     "https://api.anthropic.com/api/github/github-app-token-exchange",
-    fetchOptions,
+    {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${oidcToken}`,
+      },
+    },
   );
 
   if (!response.ok) {
@@ -134,11 +89,9 @@ export async function setupGitHubToken(): Promise<string> {
     const oidcToken = await retryWithBackoff(() => getOidcToken());
     console.log("OIDC token successfully obtained");
 
-    const permissions = parseAdditionalPermissions();
-
     console.log("Exchanging OIDC token for app token...");
     const appToken = await retryWithBackoff(() =>
-      exchangeForAppToken(oidcToken, permissions),
+      exchangeForAppToken(oidcToken),
     );
     console.log("App token successfully obtained");
 

diff --git a/test/parse-permissions.test.ts b/test/parse-permissions.test.ts