ci(claude): switch Claude Code actions to ANTHROPIC_API_KEY#3532
Merged
ci(claude): switch Claude Code actions to ANTHROPIC_API_KEY#3532
Conversation
The org disabled Claude subscription access for Claude Code, breaking both Claude workflows that authenticated via CLAUDE_CODE_OAUTH_TOKEN. Switch them to the new ANTHROPIC_API_KEY repo secret so the audit and @claude-mention workflows authenticate via API key instead.
|
Contributor
|
ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✅ Files skipped from review due to trivial changes (1)
📜 Recent review details⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (30)
WalkthroughThis pull request updates the authentication mechanism for the Claude Code action across two GitHub Actions workflow files. Both Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/claude.yml (1)
15-19:⚠️ Potential issue | 🟠 Major | ⚡ Quick winGate secret-backed runs to trusted actors before using
ANTHROPIC_API_KEY.Line 55 now uses a billable API key, but Lines 15-19 still allow any
@claudemention path to trigger the job. On public repos, this can enable untrusted trigger abuse. Add author-association checks (or an equivalent trust gate) to the jobif.Suggested hardening diff
claude: if: | (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || - (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) + (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) + && + ( + (github.event_name == 'issue_comment' && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) || + (github.event_name == 'pull_request_review_comment' && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) || + (github.event_name == 'pull_request_review' && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association)) || + (github.event_name == 'issues' && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association)) + )Also applies to: 55-55
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/claude.yml around lines 15 - 19, The current job if-condition allows any `@claude` mention to trigger a run that later uses ANTHROPIC_API_KEY; tighten the gate by adding author-association checks to the boolean expression so only trusted actors can trigger secret-backed runs—e.g., augment each branch that checks contains(..., '@claude') with an additional check on the corresponding author association (github.event.comment.author_association, github.event.review.author_association, github.event.issue.author_association or github.event.pull_request.author_association) to require values like 'OWNER' || 'MEMBER' || 'COLLABORATOR' (or another chosen trusted set); update the combined if to AND the mention check with the author_association check so untrusted mentions cannot trigger the job that uses ANTHROPIC_API_KEY.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In @.github/workflows/claude.yml:
- Around line 15-19: The current job if-condition allows any `@claude` mention to
trigger a run that later uses ANTHROPIC_API_KEY; tighten the gate by adding
author-association checks to the boolean expression so only trusted actors can
trigger secret-backed runs—e.g., augment each branch that checks contains(...,
'@claude') with an additional check on the corresponding author association
(github.event.comment.author_association,
github.event.review.author_association, github.event.issue.author_association or
github.event.pull_request.author_association) to require values like 'OWNER' ||
'MEMBER' || 'COLLABORATOR' (or another chosen trusted set); update the combined
if to AND the mention check with the author_association check so untrusted
mentions cannot trigger the job that uses ANTHROPIC_API_KEY.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: ef9ac26b-4913-4f2a-a835-038cb26da288
📒 Files selected for processing (2)
.github/workflows/claude-md-audit.yml.github/workflows/claude.yml
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (32)
- GitHub Check: units / internal / 🧪 Unit Tests: Internal (8, 8)
- GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (3, 8)
- GitHub Check: units / internal / 🧪 Unit Tests: Internal (2, 8)
- GitHub Check: units / internal / 🧪 Unit Tests: Internal (1, 8)
- GitHub Check: units / internal / 🧪 Unit Tests: Internal (4, 8)
- GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (8, 8)
- GitHub Check: units / internal / 🧪 Unit Tests: Internal (7, 8)
- GitHub Check: units / internal / 🧪 Unit Tests: Internal (3, 8)
- GitHub Check: units / internal / 🧪 Unit Tests: Internal (6, 8)
- GitHub Check: units / internal / 🧪 Unit Tests: Internal (5, 8)
- GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (1, 8)
- GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (7, 8)
- GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (5, 8)
- GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (6, 8)
- GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (2, 8)
- GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (4, 8)
- GitHub Check: units / e2e-webapp / 🧪 E2E Tests: Webapp
- GitHub Check: units / packages / 🧪 Unit Tests: Packages (1, 1)
- GitHub Check: sdk-compat / Node.js 20.20 (ubuntu-latest)
- GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - npm)
- GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - pnpm)
- GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - npm)
- GitHub Check: sdk-compat / Node.js 22.12 (ubuntu-latest)
- GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - pnpm)
- GitHub Check: typecheck / typecheck
- GitHub Check: sdk-compat / Cloudflare Workers
- GitHub Check: sdk-compat / Deno Runtime
- GitHub Check: sdk-compat / Bun Runtime
- GitHub Check: audit
- GitHub Check: Analyze (javascript-typescript)
- GitHub Check: Analyze (actions)
- GitHub Check: Analyze (python)
🔇 Additional comments (1)
.github/workflows/claude-md-audit.yml (1)
39-39: Auth input migration looks correct here.Line 39 is a clean swap to
anthropic_api_key, and this workflow is already constrained to same-repo PRs (Lines 20-21), which keeps exposure controlled.
The official anthropics/claude-code-action example for anthropic_api_key requires contents/pull-requests/issues: write so the action can comment back on @claude mentions and push when Edit/Write tools are enabled. Bring claude.yml in line with claude-md-audit.yml (which already had PR/issue write) and the upstream examples/claude.yml. Resolves Devin review feedback BUG-0001 + ANALYSIS-0002 on PR 3532.
d-cs
approved these changes
May 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Both Claude Code workflows (
claude.ymlandclaude-md-audit.yml) authenticated viaCLAUDE_CODE_OAUTH_TOKEN, which broke when the org disabled Claude subscription access for Claude Code:This switches both workflows to
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}(secret already added to the repo).Test plan
📝 CLAUDE.md Auditruns to completion on this PR@claudemention in a PR comment still triggers theClaude Codeworkflow successfully