feat: add OAuth token authentication support (#236)

* feat: add OAuth token authentication support Add claude_code_oauth_token as an alternative authentication method to anthropic_api_key. This provides more flexibility for users who prefer OAuth authentication. - Add claude_code_oauth_token input to action.yml - Pass OAuth token through to claude-code-base-action - Update README with OAuth token documentation and examples - Update security best practices to cover both authentication methods - Add OAuth example to examples/claude.yml 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * docs: add OAuth token generation instructions for Pro/Max users Update README to mention that Pro and Max users can generate OAuth tokens by running `claude setup-token` locally. This provides clearer guidance for users who want to use OAuth authentication instead of API keys. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * docs: update CI capabilities documentation - Move GitHub Actions access from limitations to capabilities in README - Update FAQ to explain how to enable CI/CD access with actions:read permission - Clarify that Claude can access workflow results on PRs where it's tagged 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
2026-01-22 22:44:13 +08:00 · 2025-07-07 16:07:22 -07:00
parent d6bc8ddf8a
commit a804c9e83f
4 changed files with 72 additions and 42 deletions
--- a/FAQ.md
+++ b/FAQ.md
@@ -51,14 +51,29 @@ allowed_tools: "Bash(git rebase:*)" # Use with caution
 Claude doesn't create PRs by default. Instead, it pushes commits to a branch and provides a link to a pre-filled PR submission page. This approach ensures your repository's branch protection rules are still adhered to and gives you final control over PR creation.
-### Why can't Claude run my tests or see CI results?
+### Can Claude see my GitHub Actions CI results?
-Claude cannot access GitHub Actions logs, test results, or other CI/CD outputs by default. It only has access to the repository files. If you need Claude to see test results, you can either:
+Yes! Claude can access GitHub Actions workflow runs, job logs, and test results on the PR where it's tagged. To enable this:
-1. Instruct Claude to run tests before making commits
+1. Add `actions: read` permission to your workflow:
 2. Copy and paste CI results into a comment for Claude to analyze
-This limitation exists for security reasons but may be reconsidered in the future based on user feedback.
+   ```yaml
   permissions:
     contents: write
     pull-requests: write
     issues: write
     actions: read
   ```
 2. Configure the action with additional permissions:
   ```yaml
   - uses: anthropics/claude-code-action@beta
     with:
       additional_permissions: |
         actions: read
   ```
 Claude will then be able to analyze CI failures and help debug workflow issues. For running tests locally before commits, you can still instruct Claude to do so in your request.
 ### Why does Claude only update one comment instead of creating new ones?
--- a/README.md
+++ b/README.md
@@ -30,7 +30,9 @@ This command will guide you through setting up the GitHub app and required secre
 **Requirements**: You must be a repository admin to complete these steps.
 1. Install the Claude GitHub app to your repository: https://github.com/apps/claude
-2. Add `ANTHROPIC_API_KEY` to your repository secrets ([Learn how to use secrets in GitHub Actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions))
+2. Add authentication to your repository secrets ([Learn how to use secrets in GitHub Actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions)):
   - Either `ANTHROPIC_API_KEY` for API key authentication
   - Or `CLAUDE_CODE_OAUTH_TOKEN` for OAuth token authentication (Pro and Max users can generate this by running `claude setup-token` locally)
 3. Copy the workflow file from [`examples/claude.yml`](./examples/claude.yml) into your repository's `.github/workflows/`
 ## 📚 FAQ
@@ -60,6 +62,8 @@ jobs:
      - uses: anthropics/claude-code-action@beta
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          # Or use OAuth token instead:
          # claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
          github_token: ${{ secrets.GITHUB_TOKEN }}
          # Optional: add custom trigger phrase (default: @claude)
          # trigger_phrase: "/claude"
@@ -81,30 +85,31 @@ jobs:
 ## Inputs
-| Input                    | Description                                                                                                          | Required | Default   |
+| Input                     | Description                                                                                                          | Required | Default   |
-| ------------------------ | -------------------------------------------------------------------------------------------------------------------- | -------- | --------- |
+| ------------------------- | -------------------------------------------------------------------------------------------------------------------- | -------- | --------- |
-| `anthropic_api_key`      | Anthropic API key (required for direct API, not needed for Bedrock/Vertex)                                           | No\*     | -         |
+| `anthropic_api_key`       | Anthropic API key (required for direct API, not needed for Bedrock/Vertex)                                           | No\*     | -         |
-| `direct_prompt`          | Direct prompt for Claude to execute automatically without needing a trigger (for automated workflows)                | No       | -         |
+| `claude_code_oauth_token` | Claude Code OAuth token (alternative to anthropic_api_key)                                                           | No\*     | -         |
-| `base_branch`            | The base branch to use for creating new branches (e.g., 'main', 'develop')                                           | No       | -         |
+| `direct_prompt`           | Direct prompt for Claude to execute automatically without needing a trigger (for automated workflows)                | No       | -         |
-| `max_turns`              | Maximum number of conversation turns Claude can take (limits back-and-forth exchanges)                               | No       | -         |
+| `base_branch`             | The base branch to use for creating new branches (e.g., 'main', 'develop')                                           | No       | -         |
-| `timeout_minutes`        | Timeout in minutes for execution                                                                                     | No       | `30`      |
+| `max_turns`               | Maximum number of conversation turns Claude can take (limits back-and-forth exchanges)                               | No       | -         |
-| `use_sticky_comment`     | Use just one comment to deliver PR comments (only applies for pull_request event workflows)                          | No       | `false`   |
+| `timeout_minutes`         | Timeout in minutes for execution                                                                                     | No       | `30`      |
-| `github_token`           | GitHub token for Claude to operate with. **Only include this if you're connecting a custom GitHub app of your own!** | No       | -         |
+| `use_sticky_comment`      | Use just one comment to deliver PR comments (only applies for pull_request event workflows)                          | No       | `false`   |
-| `model`                  | Model to use (provider-specific format required for Bedrock/Vertex)                                                  | No       | -         |
+| `github_token`            | GitHub token for Claude to operate with. **Only include this if you're connecting a custom GitHub app of your own!** | No       | -         |
-| `fallback_model`         | Enable automatic fallback to specified model when primary model is unavailable                                       | No       | -         |
+| `model`                   | Model to use (provider-specific format required for Bedrock/Vertex)                                                  | No       | -         |
-| `anthropic_model`        | **DEPRECATED**: Use `model` instead. Kept for backward compatibility.                                                | No       | -         |
+| `fallback_model`          | Enable automatic fallback to specified model when primary model is unavailable                                       | No       | -         |
-| `use_bedrock`            | Use Amazon Bedrock with OIDC authentication instead of direct Anthropic API                                          | No       | `false`   |
+| `anthropic_model`         | **DEPRECATED**: Use `model` instead. Kept for backward compatibility.                                                | No       | -         |
-| `use_vertex`             | Use Google Vertex AI with OIDC authentication instead of direct Anthropic API                                        | No       | `false`   |
+| `use_bedrock`             | Use Amazon Bedrock with OIDC authentication instead of direct Anthropic API                                          | No       | `false`   |
-| `allowed_tools`          | Additional tools for Claude to use (the base GitHub tools will always be included)                                   | No       | ""        |
+| `use_vertex`              | Use Google Vertex AI with OIDC authentication instead of direct Anthropic API                                        | No       | `false`   |
-| `disallowed_tools`       | Tools that Claude should never use                                                                                   | No       | ""        |
+| `allowed_tools`           | Additional tools for Claude to use (the base GitHub tools will always be included)                                   | No       | ""        |
-| `custom_instructions`    | Additional custom instructions to include in the prompt for Claude                                                   | No       | ""        |
+| `disallowed_tools`        | Tools that Claude should never use                                                                                   | No       | ""        |
-| `mcp_config`             | Additional MCP configuration (JSON string) that merges with the built-in GitHub MCP servers                          | No       | ""        |
+| `custom_instructions`     | Additional custom instructions to include in the prompt for Claude                                                   | No       | ""        |
-| `assignee_trigger`       | The assignee username that triggers the action (e.g. @claude). Only used for issue assignment                        | No       | -         |
+| `mcp_config`              | Additional MCP configuration (JSON string) that merges with the built-in GitHub MCP servers                          | No       | ""        |
-| `label_trigger`          | The label name that triggers the action when applied to an issue (e.g. "claude")                                     | No       | -         |
+| `assignee_trigger`        | The assignee username that triggers the action (e.g. @claude). Only used for issue assignment                        | No       | -         |
-| `trigger_phrase`         | The trigger phrase to look for in comments, issue/PR bodies, and issue titles                                        | No       | `@claude` |
+| `label_trigger`           | The label name that triggers the action when applied to an issue (e.g. "claude")                                     | No       | -         |
-| `branch_prefix`          | The prefix to use for Claude branches (defaults to 'claude/', use 'claude-' for dash format)                         | No       | `claude/` |
+| `trigger_phrase`          | The trigger phrase to look for in comments, issue/PR bodies, and issue titles                                        | No       | `@claude` |
-| `claude_env`             | Custom environment variables to pass to Claude Code execution (YAML format)                                          | No       | ""        |
+| `branch_prefix`           | The prefix to use for Claude branches (defaults to 'claude/', use 'claude-' for dash format)                         | No       | `claude/` |
-| `additional_permissions` | Additional permissions to enable. Currently supports 'actions: read' for viewing workflow results                    | No       | ""        |
+| `claude_env`              | Custom environment variables to pass to Claude Code execution (YAML format)                                          | No       | ""        |
 | `additional_permissions`  | Additional permissions to enable. Currently supports 'actions: read' for viewing workflow results                    | No       | ""        |
 \*Required when using direct Anthropic API (default and when not using Bedrock or Vertex)
@@ -330,6 +335,7 @@ This action is built on top of [`anthropics/claude-code-base-action`](https://gi
  - When triggered on an **issue**: Always creates a new branch for the work
  - When triggered on an **open PR**: Always pushes directly to the existing PR branch
  - When triggered on a **closed PR**: Creates a new branch since the original is no longer active
 - **View GitHub Actions Results**: Can access workflow runs, job logs, and test results on the PR where it's tagged when `actions: read` permission is configured (see [Additional Permissions for CI/CD Integration](#additional-permissions-for-cicd-integration))
 ### What Claude Cannot Do
@@ -338,7 +344,6 @@ This action is built on top of [`anthropics/claude-code-base-action`](https://gi
 - **Post Multiple Comments**: Claude only acts by updating its initial comment
 - **Execute Commands Outside Its Context**: Claude only has access to the repository and PR/issue context it's triggered in
 - **Run Arbitrary Bash Commands**: By default, Claude cannot execute Bash commands unless explicitly allowed using the `allowed_tools` configuration
 - **View CI/CD Results**: Cannot access CI systems, test results, or build logs unless an additional tool or MCP server is configured
 - **Perform Branch Operations**: Cannot merge branches, rebase, or perform other git operations beyond pushing commits
 ## Advanced Configuration
@@ -604,18 +609,21 @@ The [Claude Code GitHub app](https://github.com/apps/claude) requires these perm
 All commits made by Claude through this action are automatically signed with commit signatures. This ensures the authenticity and integrity of commits, providing a verifiable trail of changes made by the action.
-### ⚠️ ANTHROPIC_API_KEY Protection
+### ⚠️ Authentication Protection
-**CRITICAL: Never hardcode your Anthropic API key in workflow files!**
+**CRITICAL: Never hardcode your Anthropic API key or OAuth token in workflow files!**
-Your ANTHROPIC_API_KEY must always be stored in GitHub secrets to prevent unauthorized access:
+Your authentication credentials must always be stored in GitHub secrets to prevent unauthorized access:
 ```yaml
 # CORRECT ✅
 anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
 # OR
 claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
 # NEVER DO THIS ❌
 anthropic_api_key: "sk-ant-api03-..." # Exposed and vulnerable!
 claude_code_oauth_token: "oauth_token_..." # Exposed and vulnerable!
 ```
 ### Setting Up GitHub Secrets
@@ -623,17 +631,18 @@ anthropic_api_key: "sk-ant-api03-..." # Exposed and vulnerable!
 1. Go to your repository's Settings
 2. Click on "Secrets and variables" → "Actions"
 3. Click "New repository secret"
-4. Name: `ANTHROPIC_API_KEY`
+4. For authentication, choose one:
-5. Value: Your Anthropic API key (starting with `sk-ant-`)
+   - API Key: Name: `ANTHROPIC_API_KEY`, Value: Your Anthropic API key (starting with `sk-ant-`)
-6. Click "Add secret"
+   - OAuth Token: Name: `CLAUDE_CODE_OAUTH_TOKEN`, Value: Your Claude Code OAuth token (Pro and Max users can generate this by running `claude setup-token` locally)
 5. Click "Add secret"
-### Best Practices for ANTHROPIC_API_KEY
+### Best Practices for Authentication
-1. ✅ Always use `${{ secrets.ANTHROPIC_API_KEY }}` in workflows
+1. ✅ Always use `${{ secrets.ANTHROPIC_API_KEY }}` or `${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}` in workflows
-2. ✅ Never commit API keys to version control
+2. ✅ Never commit API keys or tokens to version control
-3. ✅ Regularly rotate your API keys
+3. ✅ Regularly rotate your API keys and tokens
 4. ✅ Use environment secrets for organization-wide access
-5. ❌ Never share API keys in pull requests or issues
+5. ❌ Never share API keys or tokens in pull requests or issues
 6. ❌ Avoid logging workflow variables that might contain keys
 ## Security Best Practices
--- a/action.yml
+++ b/action.yml
@@ -65,6 +65,9 @@ inputs:
  anthropic_api_key:
    description: "Anthropic API key (required for direct API, not needed for Bedrock/Vertex)"
    required: false
  claude_code_oauth_token:
    description: "Claude Code OAuth token (alternative to anthropic_api_key)"
    required: false
  github_token:
    description: "GitHub token with repo and pull request permissions (optional if using GitHub App)"
    required: false
@@ -147,6 +150,7 @@ runs:
        use_bedrock: ${{ inputs.use_bedrock }}
        use_vertex: ${{ inputs.use_vertex }}
        anthropic_api_key: ${{ inputs.anthropic_api_key }}
        claude_code_oauth_token: ${{ inputs.claude_code_oauth_token }}
        claude_env: ${{ inputs.claude_env }}
      env:
        # Model configuration
--- a/examples/claude.yml
+++ b/examples/claude.yml
@@ -33,4 +33,6 @@ jobs:
        uses: anthropics/claude-code-action@beta
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          # Or use OAuth token instead:
          # claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
          timeout_minutes: "60"