The claude-code-action OIDC token exchange verifies that the triggering GitHub actor has write access to the repository. When an external user opens an issue, they are the actor and don't have write access, causing the action to fail with a 401 error.

Pass an explicit github_token and set allowed_non_write_users to '*' so the action skips the write-access check. This is safe because the workflow's GITHUB_TOKEN only has read permissions, and the existing prompt injection detection script guards against malicious issue content before any triage logic (including Linear writes) executes.

Following an example from anthropic here