diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml index 46722c3d..6b15fac7 100644 --- a/.github/workflows/claude.yml +++ b/.github/workflows/claude.yml @@ -26,67 +26,13 @@ jobs: actions: read # Required for Claude to read CI results on PRs steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@v4 with: fetch-depth: 1 - # TEMPORARY diagnostic. Verifies whether the OAuth token works against - # `claude --print` directly on the runner (i.e., bypassing the action / - # agent SDK entirely), so we can localize the failure to either: - # - SDK auth-forwarding (diag passes, main fails), or - # - runner ↔ Anthropic OAuth backend (diag fails, main fails). - # - # Split into two steps so the OAuth token is never present in the env - # of `curl | bash` or its subprocesses (Codex P2): the installer runs - # without the secret; only the verify step has it, and only for the - # single claude invocation. Both diagnostic steps are - # `continue-on-error: true` so neither a transient install failure nor - # a runner-side OAuth failure can short-circuit `Run Claude Code` — - # both step results need to be observed for the isolation logic to - # work, and temporary diagnostic infrastructure must not block normal - # `@claude` handling (Codex P1, both rounds). - # - # Token-leak hardening: - # - secret is scoped to the verify step only - # - never enables `set -x`; explicit `set +x` defends against - # ACTIONS_STEP_DEBUG also enabling xtrace - # - token reaches `claude` only via env, never as a command-line arg - # - no --debug / --verbose on `claude` - # - HOME is an ephemeral tmp dir; runner is destroyed after the job - # - GitHub Actions secret-masking covers any literal occurrence anyway - # - # Remove these two steps (and rotate CLAUDE_CODE_OAUTH_TOKEN) once the - # diagnostic question is answered. - - name: Install Claude CLI for diag (no secrets in env) - continue-on-error: true - run: | - set -euo pipefail - set +x - curl -fsSL https://claude.ai/install.sh | bash -s -- 2.1.119 >/dev/null 2>&1 - - - name: Verify OAuth on the runner (diag only) - continue-on-error: true - env: - CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} - run: | - set -euo pipefail - set +x - export PATH="$HOME/.local/bin:$PATH" - TMPHOME="$(mktemp -d)" - HOME="$TMPHOME" ANTHROPIC_API_KEY="" claude --print "ok" - - name: Run Claude Code id: claude - # Pinned to v1.0.107 + explicit env. As of 2026-04-28, the OAuth token - # passed only via the `with:` input is not reaching the Claude Code - # child process spawned by the agent SDK's query() — the SDK throws - # `Could not resolve [authentication]` even though the same token - # works locally with `claude --print`. Setting CLAUDE_CODE_OAUTH_TOKEN - # in the step's env: forces it onto process.env so parse-sdk-options - # forwards it to the child. Revisit once upstream ships a fix. - uses: anthropics/claude-code-action@7eab1296cc65117d50ac2a2fa5f00a30ec84d3d5 # v1.0.107 - env: - CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} + uses: anthropics/claude-code-action@v1 with: claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} @@ -100,5 +46,5 @@ jobs: # Optional: Add claude_args to customize behavior and configuration # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md # or https://code.claude.com/docs/en/cli-reference for available options - # claude_args: '--allowed-tools Bash(gh pr:*)' + # claude_args: '--allowed-tools Bash(gh pr *)'