From 733587e54f3dac57d369319582480235f64a1101 Mon Sep 17 00:00:00 2001 From: zenexer Date: Sat, 23 May 2026 08:36:25 +0000 Subject: [PATCH] ci: migrate claude.yml to Workload Identity Federation auth Replaces the static ANTHROPIC_API_KEY repo secret with Workload Identity Federation: claude-code-action exchanges this job's GitHub OIDC token for a short-lived access token. The federation rule is bound to this repository (repository_id-pinned), so the IDs are repo-specific and not reusable elsewhere. Pins claude-code-action to v1.0.132 (the WIF inputs landed in v1.0.130). id-token: write was already present. --- .github/workflows/claude.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml index d205fd22f..c25af0d89 100644 --- a/.github/workflows/claude.yml +++ b/.github/workflows/claude.yml @@ -37,9 +37,15 @@ jobs: - name: Run Claude Code id: claude - uses: anthropics/claude-code-action@v1 + uses: anthropics/claude-code-action@bbfaf8e1ffe3e688f7ab65ceee78de241e24a238 # v1.0.132 (>=v1.0.130 for WIF inputs) with: - anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} + # Anthropic auth via Workload Identity Federation — the action + # exchanges this job's GitHub OIDC token (id-token: write above) + # for a short-lived access token instead of a static API key. + # See https://github.com/anthropics/claude-code-action/blob/main/docs/setup.md + anthropic_federation_rule_id: fdrl_01NnYaEh8vVqgyX6wxwJUE9L + anthropic_organization_id: 1ec12c5c-6542-4da8-bf2f-c15919aef01c + anthropic_service_account_id: svac_01VkQ61sbLCT8n7VzTCw3opE # Allow Claude to run git commands and push changes allowed_tools: "Bash(git commit:*),Bash(git push:*),Bash(git merge:*),Bash(git checkout:*),Bash(git add:*),Bash(git status:*),Bash(git diff:*),Bash(git log:*),Bash(git fetch:*),Bash(gh pr:*),Bash(gh issue:*)"