Add Workload Identity Federation (OIDC) authentication support by ashwin-ant · Pull Request #1338 · anthropics/claude-code-action

ashwin-ant · 2026-05-21T20:31:00Z

What

Adds support for authenticating to the Claude API via Workload Identity Federation (WIF) instead of a static anthropic_api_key. The action exchanges the workflow's GitHub Actions OIDC token for a short-lived Anthropic access token using a federation rule configured in the Claude Console, so no API key secret needs to be stored in the repository.

New inputs:

Input	Description
`anthropic_federation_rule_id`	Federation rule ID (`fdrl_...`)
`anthropic_organization_id`	Anthropic organization UUID
`anthropic_service_account_id`	Service account ID (`svac_...`), optional
`anthropic_workspace_id`	Workspace ID (`wrkspc_...`), optional when the rule targets a single workspace
`anthropic_oidc_audience`	Audience to request on the GitHub OIDC token, optional

How it works

When anthropic_federation_rule_id and anthropic_organization_id are set (and no API key/OAuth token is provided), the action:

Fetches a GitHub Actions OIDC token via core.getIDToken() (requires id-token: write permission, which the default GitHub App auth path already needs)
Writes it to a file under RUNNER_TEMP and exports ANTHROPIC_IDENTITY_TOKEN_FILE along with the federation env vars
Refreshes the token file in the background so long-running executions can re-exchange with a fresh JWT

The Claude Code CLI performs the token exchange and refresh against the federation rule. base-action's env validation now accepts the federation variables as a third direct-API auth option alongside ANTHROPIC_API_KEY and CLAUDE_CODE_OAUTH_TOKEN.

Usage

permissions:
  contents: write
  pull-requests: write
  issues: write
  id-token: write
steps:
  - uses: anthropics/claude-code-action@v1
    with:
      anthropic_federation_rule_id: fdrl_xxxxxxxxxxxx
      anthropic_organization_id: 00000000-0000-0000-0000-000000000000
      anthropic_service_account_id: svac_xxxxxxxxxxxx

Console setup (issuer, service account, federation rule) is documented in docs/setup.md.

Notes

Existing auth methods (anthropic_api_key, claude_code_oauth_token, Bedrock, Vertex, Foundry) are unchanged; federation is opt-in.
If a static credential is set alongside the federation inputs, the static credential takes precedence and a warning is logged.
Inline comment classification still requires anthropic_api_key; with federation it is skipped and unconfirmed inline comments are posted directly (documented in docs/setup.md).

Testing

Unit tests for the new workload identity module and the updated env validation
Verified end-to-end in a test repository: a workflow configured with only the federation inputs (no API key secret) authenticates via the OIDC exchange and completes successfully

Adds anthropic_federation_rule_id, anthropic_organization_id, anthropic_service_account_id, anthropic_workspace_id, and anthropic_oidc_audience inputs. When the federation rule and organization are set, the action fetches the workflow's GitHub Actions OIDC token, writes it to a file in RUNNER_TEMP, keeps it refreshed during execution, and points the Claude Code CLI at it via ANTHROPIC_IDENTITY_TOKEN_FILE so the CLI can exchange it for a short-lived access token instead of using a static API key.

claude · 2026-05-21T20:37:32Z

+ */
+export async function setupWorkloadIdentity(): Promise<
+  WorkloadIdentityHandle | undefined
+> {
+  if (!isWorkloadIdentityConfigured()) {
+    return undefined;
+  }
+
+  if (
+    process.env.ANTHROPIC_API_KEY?.trim() ||
+    process.env.CLAUDE_CODE_OAUTH_TOKEN?.trim()
+  ) {
+    core.warning(
+      "Workload identity federation inputs are set alongside anthropic_api_key or claude_code_oauth_token. The API key/OAuth token takes precedence, so federation will not be used.",
+    );
+    return undefined;
+  }
+


🟡 setupWorkloadIdentity() guards against ANTHROPIC_API_KEY/CLAUDE_CODE_OAUTH_TOKEN taking precedence, but not CLAUDE_CODE_USE_BEDROCK/VERTEX/FOUNDRY. If a cloud provider is enabled alongside leftover federation inputs and the workflow doesn't grant id-token: write (e.g. Bedrock with AWS_BEARER_TOKEN_BEDROCK), the run hard-fails with a federation-specific error even though the cloud provider is fully configured. Adding the three cloud-provider flags to the existing early-return guard would make federation consistent with the API-key/OAuth precedence rule above it.

Extended reasoning...

The gap. setupWorkloadIdentity() (src/auth/workload-identity.ts:64-72) implements an explicit precedence rule: if ANTHROPIC_API_KEY or CLAUDE_CODE_OAUTH_TOKEN is also set, it logs a warning and returns undefined without touching OIDC. That guard establishes the intended behavior — "do not run federation when a higher-precedence auth method is active." But the three cloud-provider flags (CLAUDE_CODE_USE_BEDROCK, CLAUDE_CODE_USE_VERTEX, CLAUDE_CODE_USE_FOUNDRY) are also higher-precedence routing flags, and they are not checked.

The code path. In src/entrypoints/run.ts, setupWorkloadIdentity() is called before validateEnvironmentVariables() (lines 237-241). validate-env.ts only validates federation inputs in the !useBedrock && !useVertex && !useFoundry branch — so when a cloud provider is enabled, the federation vars are silently ignored by validation. But setupWorkloadIdentity() has already run and acted on them.

Concrete failure proof. A user sets:

use_bedrock: true with AWS_BEARER_TOKEN_BEDROCK for auth — bearer-token Bedrock auth does not need id-token: write, so the workflow doesn't grant it.

Federation inputs (anthropic_federation_rule_id + anthropic_organization_id) are also present, e.g. copy-pasted from a template or left over from migration.

The workflow uses a custom github_token, so the GitHub-App auth path (which would have required id-token: write anyway) is also bypassed.

Walkthrough:

run() calls setupWorkloadIdentity().

isWorkloadIdentityConfigured() returns true (federation vars are present).

The ANTHROPIC_API_KEY/CLAUDE_CODE_OAUTH_TOKEN guard at line 64 does not match — neither is set.

writeIdentityToken() calls core.getIDToken(), which throws because id-token: write is not in the workflow permissions.

The catch block re-throws Failed to fetch a GitHub Actions OIDC token for workload identity federation: ... Did you remember to add \id-token: write` to your workflow permissions?`

The whole action fails, even though Bedrock is correctly configured and federation should never have been attempted.

The error message actively misleads the user toward adding id-token: write, when the real fix is to remove the stray federation inputs.

Addressing the refutation. It's true this requires a double misconfiguration and that the CLI itself would route to Bedrock and ignore ANTHROPIC_IDENTITY_TOKEN_FILE even if the token fetch succeeded. But the failure happens before the CLI runs — getIDToken() throws inside the action itself. So "the CLI would ignore it anyway" doesn't help. And while ANTHROPIC_API_KEY alongside CLAUDE_CODE_USE_BEDROCK has always been silently tolerated, that's a no-op; this is a thrown error. The asymmetry matters.

The fix. Extend the existing guard to also early-return when a cloud provider is selected, e.g.:

if ( process.env.CLAUDE_CODE_USE_BEDROCK === "1" || process.env.CLAUDE_CODE_USE_VERTEX === "1" || process.env.CLAUDE_CODE_USE_FOUNDRY === "1" ) { core.warning( "Workload identity federation inputs are set alongside a cloud provider (Bedrock/Vertex/Foundry). The cloud provider takes precedence, so federation will not be used.", ); return undefined; }

Because the trigger requires explicit conflicting inputs, this is a nit / defense-in-depth improvement rather than a blocking bug, but it's a one-clause addition that mirrors the pattern this PR already established.

claude · 2026-05-21T20:37:32Z

+    const identityToken = await fetchIdentityToken(audience);
+    core.setSecret(identityToken);
+    mkdirSync(tokenDir, { recursive: true, mode: 0o700 });
+    writeFileSync(tokenFile, identityToken, { mode: 0o600 });
+  };
+


🟡 writeIdentityToken() refreshes the token file with writeFileSync() directly on the live path, which truncates before writing — so the Claude Code CLI (which re-reads ANTHROPIC_IDENTITY_TOKEN_FILE on each access-token refresh) could observe an empty or partial JWT during the 4-minute background refresh. Writing to a sibling temp file in the same directory and renameSync()-ing over the target makes the replacement atomic.

Extended reasoning...

The bug. writeIdentityToken() (src/auth/workload-identity.ts:82-87) refreshes the OIDC token file by calling writeFileSync(tokenFile, identityToken, { mode: 0o600 }) on the live token path. Node's writeFileSync opens with flag 'w' (O_WRONLY | O_CREAT | O_TRUNC), which truncates the file to zero bytes and then writes. That two-step sequence is not atomic — there is a window where the file on disk is empty or only partially written.

Why it matters here. This module's own doc comment says it precisely: "the CLI re-reads the token file every time it refreshes its Anthropic access token, so the action keeps the file fresh in the background for long-running executions." So we have a writer (the setInterval rewriting the file every 4 minutes) and an out-of-process reader (the Claude Code CLI re-reading ANTHROPIC_IDENTITY_TOKEN_FILE whenever it needs to re-exchange for a fresh Anthropic access token), both pointed at the same path with no coordination.

Concrete sequence that hits the race.

setupWorkloadIdentity() writes the initial token and exports ANTHROPIC_IDENTITY_TOKEN_FILE.

A long-running session is in progress; the CLI's Anthropic access token approaches expiry and it schedules a re-exchange.

At T+4m the setInterval fires; writeFileSync opens the file with O_TRUNC (the file is now 0 bytes).

The CLI's refresh path reads the file before the subsequent write() lands.

The CLI sends an empty/partial JWT to the federation exchange endpoint, which rejects it — a transient auth failure on a request that should have succeeded.

Why nothing in the current code prevents it. There is no flock, no temp-file dance, and no signal to the CLI to defer reads. The whole design (env var pointing at a file path that's silently rewritten in the background) assumes atomic replacement, but writeFileSync doesn't provide it.

Likelihood and impact. To be fair, the practical odds are low: the JWT is ~1–2 KB, so the truncate→write window is microseconds; the file is rewritten only every 4 minutes; and the CLI only re-reads it when its Anthropic access token expires. Most runs will never hit it. When it does hit, the result is a single transient exchange failure, and the next refresh self-heals. So this is a robustness/correctness nit, not a blocker — but it's exactly the kind of intermittent, unreproducible auth flake that costs an afternoon when someone finally hits it.

Fix. Use the standard atomic-replace pattern — write to a sibling temp file in the same directory (so the rename stays on the same filesystem) and renameSync over the target. POSIX guarantees rename(2) atomically replaces the destination, so a reader sees either the old content or the new content, never an empty file:

const tmpFile = tokenFile + ".tmp"; writeFileSync(tmpFile, identityToken, { mode: 0o600 }); renameSync(tmpFile, tokenFile);

This is the same pattern AWS web-identity token files, Vault Agent, and kubelet projected token mounts use for exactly this reason.

## What Switches this repository's Claude automation workflows from the static `ANTHROPIC_API_KEY` secret to [Workload Identity Federation](https://platform.claude.com/docs/en/manage-claude/workload-identity-federation): the workflow's GitHub OIDC token is exchanged for a short-lived Claude API access token at runtime, so no long-lived API key needs to be stored in the repository. | Workflow | Change | | --- | --- | | `claude.yml` | `anthropic_api_key` → federation inputs | | `claude-code-review.yml` | `anthropic_api_key` → federation inputs | | `claude-issue-triage.yml` | `anthropic_api_key` → federation inputs, plus `id-token: write` (the other two already request it) | | `build-and-publish.yml` | `anthropic_api_key` → federation inputs in the changelog step, plus `id-token: write` on the `publish` job | | `auto-release.yml`, `publish.yml` | grant `id-token: write` to the jobs that call the `build-and-publish.yml` reusable workflow (a called workflow can only use permissions its caller grants) | This uses the federation support shipped in [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) (`docs/setup.md#workload-identity-federation`, anthropics/claude-code-action#1338). ## How it activates The federation rule, organization, service account, and workspace IDs are read from repository **variables** (`vars.ANTHROPIC_FEDERATION_RULE_ID`, `vars.ANTHROPIC_ORGANIZATION_ID`, `vars.ANTHROPIC_SERVICE_ACCOUNT_ID`, `vars.ANTHROPIC_WORKSPACE_ID`). These are identifiers, not credentials. Until a repo admin sets them, the action fails fast at env validation with a clear "authentication required" message — so this PR is safe to merge ahead of that, and switching over is a settings change rather than another PR. The `ANTHROPIC_API_KEY` secret is intentionally left in place until the federated path has produced green runs; rollback is reverting this PR. ## Behavior notes - `claude-code-review.yml` runs on `pull_request`. Fork PRs don't receive `id-token: write` (GitHub withholds it the same way it withholds secrets), so reviews continue to run only for same-repo PRs — identical to today's behavior with the secret. - `test.yml` is deliberately **not** migrated here: it passes `ANTHROPIC_API_KEY` directly to pytest and to `docker run` for the SDK under test. Migrating that path means mounting an identity token into the container rather than swapping a workflow input, so it needs its own treatment.

…33 in the github-actions group [skip ci] Bumps the github-actions group with 1 update: [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action). Updates `anthropics/claude-code-action` from 1.0.123 to 1.0.133 Release notes *Sourced from [anthropics/claude-code-action's releases](https://github.com/anthropics/claude-code-action/releases).* > v1.0.133 > -------- > > What's Changed > -------------- > > * Use workload identity federation for Claude auth in CI workflows by [`@ashwin-ant`](https://github.com/ashwin-ant) in [anthropics/claude-code-action#1344](https://redirect.github.com/anthropics/claude-code-action/pull/1344) > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.133> > > v1.0.132 > -------- > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.132> > > v1.0.131 > -------- > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.131> > > v1.0.130 > -------- > > What's Changed > -------------- > > * Add Workload Identity Federation (OIDC) authentication support by [`@ashwin-ant`](https://github.com/ashwin-ant) in [anthropics/claude-code-action#1338](https://redirect.github.com/anthropics/claude-code-action/pull/1338) > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.130> > > v1.0.129 > -------- > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.129> > > v1.0.128 > -------- > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.128> > > v1.0.127 > -------- > > What's Changed > -------------- > > * Refactor allowed\_bots actor resolution by [`@ashwin-ant`](https://github.com/ashwin-ant) in [anthropics/claude-code-action#1330](https://redirect.github.com/anthropics/claude-code-action/pull/1330) > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.127> > > v1.0.126 > -------- > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.126> > > v1.0.125 > -------- > > What's Changed > -------------- > > * Simplify comment tool instructions in prompt by [`@ashwin-ant`](https://github.com/ashwin-ant) in [anthropics/claude-code-action#1328](https://redirect.github.com/anthropics/claude-code-action/pull/1328) > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.125> > > v1.0.124 > -------- > > What's Changed > -------------- > > * fix: add parentheses to fix operator precedence in co-author check by [`@FuturizeRush`](https://github.com/FuturizeRush) in [anthropics/claude-code-action#1199](https://redirect.github.com/anthropics/claude-code-action/pull/1199) > * Strengthen simplified tag-mode prompt (USE\_SIMPLE\_PROMPT) by [`@ashwin-ant`](https://github.com/ashwin-ant) in [anthropics/claude-code-action#1313](https://redirect.github.com/anthropics/claude-code-action/pull/1313) > * Fix prettier formatting in create-prompt by [`@ashwin-ant`](https://github.com/ashwin-ant) in [anthropics/claude-code-action#1325](https://redirect.github.com/anthropics/claude-code-action/pull/1325) > > New Contributors > ---------------- ... (truncated) Commits * [`787c5a0`](anthropics/claude-code-action@787c5a0) chore: bump Claude Code to 2.1.150 and Agent SDK to 0.3.150 * [`4257c8e`](anthropics/claude-code-action@4257c8e) Use workload identity federation for Claude auth in CI workflows ([#1344](https://redirect.github.com/anthropics/claude-code-action/issues/1344)) * [`bbfaf8e`](anthropics/claude-code-action@bbfaf8e) chore: bump Claude Code to 2.1.149 and Agent SDK to 0.3.149 * [`4481e6d`](anthropics/claude-code-action@4481e6d) chore: bump Claude Code to 2.1.148 and Agent SDK to 0.3.148 * [`661a6fe`](anthropics/claude-code-action@661a6fe) Add Workload Identity Federation (OIDC) authentication support ([#1338](https://redirect.github.com/anthropics/claude-code-action/issues/1338)) * [`c9d66af`](anthropics/claude-code-action@c9d66af) chore: bump Claude Code to 2.1.147 and Agent SDK to 0.3.147 * [`20c8abf`](anthropics/claude-code-action@20c8abf) chore: bump Claude Code to 2.1.146 and Agent SDK to 0.3.146 * [`1dc994e`](anthropics/claude-code-action@1dc994e) Resolve actor account type before applying allowed\_bots ([#1330](https://redirect.github.com/anthropics/claude-code-action/issues/1330)) * [`ca89df3`](anthropics/claude-code-action@ca89df3) chore: bump Claude Code to 2.1.145 and Agent SDK to 0.3.145 * [`fd1877d`](anthropics/claude-code-action@fd1877d) Simplify comment tool instructions in prompt ([#1328](https://redirect.github.com/anthropics/claude-code-action/issues/1328)) * Additional commits viewable in [compare view](anthropics/claude-code-action@51ea8ea...787c5a0) [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility\_score?dependency-name=anthropics/claude-code-action&package-manager=github\_actions&previous-version=1.0.123&new-version=1.0.133)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions

claude Bot reviewed May 21, 2026

View reviewed changes

ashwin-ant added 2 commits May 21, 2026 13:38

Add WIF example workflow and base-action federation docs

2a94391

Default workload identity OIDC audience to https://api.anthropic.com

5e38078

ant-kurt approved these changes May 21, 2026

View reviewed changes

ashwin-ant merged commit 661a6fe into main May 21, 2026
38 checks passed

ashwin-ant deleted the ashwin/workload-identity-federation branch May 21, 2026 22:19

clanker-claude Bot mentioned this pull request May 22, 2026

ci(github-action): update action anthropics/claude-code-action ( c9d66af ➔ 661a6fe ) mrdynamo/home-ops#1634

Merged

1 task

ChumTech-Team mentioned this pull request May 25, 2026

教材更新: 2026-05-25 リポジトリ監視 — 7リポジトリのHIGH/MEDIUM変更を反映 ChumTech-Team/claudecode-checker#1

Open

coderabbitai Bot mentioned this pull request Jun 4, 2026

ci: harden Mintlify docs automation (AI triage classifier + scoped generator) MCPJam/inspector#2405

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add Workload Identity Federation (OIDC) authentication support#1338

Add Workload Identity Federation (OIDC) authentication support#1338
ashwin-ant merged 3 commits into
mainfrom
ashwin/workload-identity-federation

ashwin-ant commented May 21, 2026

Uh oh!

claude Bot May 21, 2026

Uh oh!

claude Bot May 21, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

ashwin-ant commented May 21, 2026

What

How it works

Usage

Notes

Testing

Uh oh!

claude Bot May 21, 2026

Choose a reason for hiding this comment

Uh oh!

claude Bot May 21, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants