feat: add OAuth token authentication support (#236)

* feat: add OAuth token authentication support

Add claude_code_oauth_token as an alternative authentication method to anthropic_api_key.
This provides more flexibility for users who prefer OAuth authentication.

- Add claude_code_oauth_token input to action.yml
- Pass OAuth token through to claude-code-base-action
- Update README with OAuth token documentation and examples
- Update security best practices to cover both authentication methods
- Add OAuth example to examples/claude.yml

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* docs: add OAuth token generation instructions for Pro/Max users

Update README to mention that Pro and Max users can generate OAuth tokens
by running `claude setup-token` locally. This provides clearer guidance
for users who want to use OAuth authentication instead of API keys.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* docs: update CI capabilities documentation

- Move GitHub Actions access from limitations to capabilities in README
- Update FAQ to explain how to enable CI/CD access with actions:read permission
- Clarify that Claude can access workflow results on PRs where it's tagged

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>

FAQ.md

@@ -51,14 +51,29 @@ allowed_tools: "Bash(git rebase:*)" # Use with caution
 
 Claude doesn't create PRs by default. Instead, it pushes commits to a branch and provides a link to a pre-filled PR submission page. This approach ensures your repository's branch protection rules are still adhered to and gives you final control over PR creation.
 
-### Why can't Claude run my tests or see CI results?
+### Can Claude see my GitHub Actions CI results?
 
-Claude cannot access GitHub Actions logs, test results, or other CI/CD outputs by default. It only has access to the repository files. If you need Claude to see test results, you can either:
+Yes! Claude can access GitHub Actions workflow runs, job logs, and test results on the PR where it's tagged. To enable this:
 
-1. Instruct Claude to run tests before making commits
-2. Copy and paste CI results into a comment for Claude to analyze
+1. Add `actions: read` permission to your workflow:
 
-This limitation exists for security reasons but may be reconsidered in the future based on user feedback.
+   ```yaml
+   permissions:
+     contents: write
+     pull-requests: write
+     issues: write
+     actions: read
+   ```
+
+2. Configure the action with additional permissions:
+   ```yaml
+   - uses: anthropics/claude-code-action@beta
+     with:
+       additional_permissions: |
+         actions: read
+   ```
+
+Claude will then be able to analyze CI failures and help debug workflow issues. For running tests locally before commits, you can still instruct Claude to do so in your request.
 
 ### Why does Claude only update one comment instead of creating new ones?
 

README.md

@@ -30,7 +30,9 @@ This command will guide you through setting up the GitHub app and required secre
 **Requirements**: You must be a repository admin to complete these steps.
 
 1. Install the Claude GitHub app to your repository: https://github.com/apps/claude
-2. Add `ANTHROPIC_API_KEY` to your repository secrets ([Learn how to use secrets in GitHub Actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions))
+2. Add authentication to your repository secrets ([Learn how to use secrets in GitHub Actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions)):
+   - Either `ANTHROPIC_API_KEY` for API key authentication
+   - Or `CLAUDE_CODE_OAUTH_TOKEN` for OAuth token authentication (Pro and Max users can generate this by running `claude setup-token` locally)
 3. Copy the workflow file from [`examples/claude.yml`](./examples/claude.yml) into your repository's `.github/workflows/`
 
 ## 📚 FAQ
@@ -60,6 +62,8 @@ jobs:
       - uses: anthropics/claude-code-action@beta
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          # Or use OAuth token instead:
+          # claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
           github_token: ${{ secrets.GITHUB_TOKEN }}
           # Optional: add custom trigger phrase (default: @claude)
           # trigger_phrase: "/claude"
@@ -82,8 +86,9 @@ jobs:
 ## Inputs
 
 | Input                     | Description                                                                                                          | Required | Default   |
-| ------------------------ | -------------------------------------------------------------------------------------------------------------------- | -------- | --------- |
+| ------------------------- | -------------------------------------------------------------------------------------------------------------------- | -------- | --------- |
 | `anthropic_api_key`       | Anthropic API key (required for direct API, not needed for Bedrock/Vertex)                                           | No\*     | -         |
+| `claude_code_oauth_token` | Claude Code OAuth token (alternative to anthropic_api_key)                                                           | No\*     | -         |
 | `direct_prompt`           | Direct prompt for Claude to execute automatically without needing a trigger (for automated workflows)                | No       | -         |
 | `base_branch`             | The base branch to use for creating new branches (e.g., 'main', 'develop')                                           | No       | -         |
 | `max_turns`               | Maximum number of conversation turns Claude can take (limits back-and-forth exchanges)                               | No       | -         |
@@ -330,6 +335,7 @@ This action is built on top of [`anthropics/claude-code-base-action`](https://gi
   - When triggered on an **issue**: Always creates a new branch for the work
   - When triggered on an **open PR**: Always pushes directly to the existing PR branch
   - When triggered on a **closed PR**: Creates a new branch since the original is no longer active
+- **View GitHub Actions Results**: Can access workflow runs, job logs, and test results on the PR where it's tagged when `actions: read` permission is configured (see [Additional Permissions for CI/CD Integration](#additional-permissions-for-cicd-integration))
 
 ### What Claude Cannot Do
 
@@ -338,7 +344,6 @@ This action is built on top of [`anthropics/claude-code-base-action`](https://gi
 - **Post Multiple Comments**: Claude only acts by updating its initial comment
 - **Execute Commands Outside Its Context**: Claude only has access to the repository and PR/issue context it's triggered in
 - **Run Arbitrary Bash Commands**: By default, Claude cannot execute Bash commands unless explicitly allowed using the `allowed_tools` configuration
-- **View CI/CD Results**: Cannot access CI systems, test results, or build logs unless an additional tool or MCP server is configured
 - **Perform Branch Operations**: Cannot merge branches, rebase, or perform other git operations beyond pushing commits
 
 ## Advanced Configuration
@@ -604,18 +609,21 @@ The [Claude Code GitHub app](https://github.com/apps/claude) requires these perm
 
 All commits made by Claude through this action are automatically signed with commit signatures. This ensures the authenticity and integrity of commits, providing a verifiable trail of changes made by the action.
 
-### ⚠️ ANTHROPIC_API_KEY Protection
+### ⚠️ Authentication Protection
 
-**CRITICAL: Never hardcode your Anthropic API key in workflow files!**
+**CRITICAL: Never hardcode your Anthropic API key or OAuth token in workflow files!**
 
-Your ANTHROPIC_API_KEY must always be stored in GitHub secrets to prevent unauthorized access:
+Your authentication credentials must always be stored in GitHub secrets to prevent unauthorized access:
 
 ```yaml
 # CORRECT ✅
 anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+# OR
+claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
 
 # NEVER DO THIS ❌
 anthropic_api_key: "sk-ant-api03-..." # Exposed and vulnerable!
+claude_code_oauth_token: "oauth_token_..." # Exposed and vulnerable!
 ```
 
 ### Setting Up GitHub Secrets
@@ -623,17 +631,18 @@ anthropic_api_key: "sk-ant-api03-..." # Exposed and vulnerable!
 1. Go to your repository's Settings
 2. Click on "Secrets and variables" → "Actions"
 3. Click "New repository secret"
-4. Name: `ANTHROPIC_API_KEY`
-5. Value: Your Anthropic API key (starting with `sk-ant-`)
-6. Click "Add secret"
+4. For authentication, choose one:
+   - API Key: Name: `ANTHROPIC_API_KEY`, Value: Your Anthropic API key (starting with `sk-ant-`)
+   - OAuth Token: Name: `CLAUDE_CODE_OAUTH_TOKEN`, Value: Your Claude Code OAuth token (Pro and Max users can generate this by running `claude setup-token` locally)
+5. Click "Add secret"
 
-### Best Practices for ANTHROPIC_API_KEY
+### Best Practices for Authentication
 
-1. ✅ Always use `${{ secrets.ANTHROPIC_API_KEY }}` in workflows
-2. ✅ Never commit API keys to version control
-3. ✅ Regularly rotate your API keys
+1. ✅ Always use `${{ secrets.ANTHROPIC_API_KEY }}` or `${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}` in workflows
+2. ✅ Never commit API keys or tokens to version control
+3. ✅ Regularly rotate your API keys and tokens
 4. ✅ Use environment secrets for organization-wide access
-5. ❌ Never share API keys in pull requests or issues
+5. ❌ Never share API keys or tokens in pull requests or issues
 6. ❌ Avoid logging workflow variables that might contain keys
 
 ## Security Best Practices

action.yml

@@ -65,6 +65,9 @@ inputs:
   anthropic_api_key:
     description: "Anthropic API key (required for direct API, not needed for Bedrock/Vertex)"
     required: false
+  claude_code_oauth_token:
+    description: "Claude Code OAuth token (alternative to anthropic_api_key)"
+    required: false
   github_token:
     description: "GitHub token with repo and pull request permissions (optional if using GitHub App)"
     required: false
@@ -147,6 +150,7 @@ runs:
         use_bedrock: ${{ inputs.use_bedrock }}
         use_vertex: ${{ inputs.use_vertex }}
         anthropic_api_key: ${{ inputs.anthropic_api_key }}
+        claude_code_oauth_token: ${{ inputs.claude_code_oauth_token }}
         claude_env: ${{ inputs.claude_env }}
       env:
         # Model configuration

examples/claude.yml

@@ -33,4 +33,6 @@ jobs:
         uses: anthropics/claude-code-action@beta
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          # Or use OAuth token instead:
+          # claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
           timeout_minutes: "60"