Pin GitHub Action dependencies to commit SHAs for security (#66 )

Pin oven-sh/setup-bun and anthropics/claude-code-base-action to specific commit SHAs instead of version tags to ensure reproducible builds and improve supply chain security. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-authored-by: Claude <noreply@anthropic.com>
Improve error messages for GitHub Action authentication failures (#50 )
2026-01-23 23:14:13 +08:00 · 2025-05-27 10:14:11 -07:00 · 2025-05-25 18:43:54 -07:00
2 changed files with 17 additions and 15 deletions
--- a/action.yml
+++ b/action.yml
@@ -67,7 +67,7 @@ runs:
  using: "composite"
  steps:
    - name: Install Bun
-      uses: oven-sh/setup-bun@v2
+      uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # https://github.com/oven-sh/setup-bun/releases/tag/v2.0.2
      with:
        bun-version: 1.2.11
@@ -94,7 +94,7 @@ runs:
    - name: Run Claude Code
      id: claude-code
      if: steps.prepare.outputs.contains_trigger == 'true'
-      uses: anthropics/claude-code-base-action@beta
+      uses: anthropics/claude-code-base-action@5097b6cdfe5fc5a3ac0166cc344c34ed23c93982 # https://github.com/anthropics/claude-code-base-action/releases/tag/v0.0.5
      with:
        prompt_file: /tmp/claude-prompts/claude-prompt.txt
        allowed_tools: ${{ env.ALLOWED_TOOLS }}
--- a/src/github/token.ts
+++ b/src/github/token.ts
@@ -39,25 +39,19 @@ async function retryWithBackoff<T>(
    }
  }
-  throw new Error(
+  console.error(`Operation failed after ${maxAttempts} attempts`);
-    `Operation failed after ${maxAttempts} attempts. Last error: ${
+  throw lastError;
      lastError?.message ?? "Unknown error"
    }`,
  );
 }
 async function getOidcToken(): Promise<string> {
  try {
    const oidcToken = await core.getIDToken("claude-code-github-action");
    if (!oidcToken) {
      throw new Error("OIDC token not found");
    }
    return oidcToken;
  } catch (error) {
    console.error("Failed to get OIDC token:", error);
    throw new Error(
-      `Failed to get OIDC token: ${error instanceof Error ? error.message : String(error)}`,
+      "Could not fetch an OIDC token. Did you remember to add `id-token: write` to your workflow permissions?",
    );
  }
 }
@@ -74,9 +68,15 @@ async function exchangeForAppToken(oidcToken: string): Promise<string> {
  );
  if (!response.ok) {
-    throw new Error(
+    const responseJson = (await response.json()) as {
-      `App token exchange failed: ${response.status} ${response.statusText}`,
+      error?: {
        message?: string;
      };
    };
    console.error(
      `App token exchange failed: ${response.status} ${response.statusText} - ${responseJson?.error?.message ?? "Unknown error"}`,
    );
    throw new Error(`${responseJson?.error?.message ?? "Unknown error"}`);
  }
  const appTokenData = (await response.json()) as {
@@ -117,7 +117,9 @@ export async function setupGitHubToken(): Promise<string> {
    core.setOutput("GITHUB_TOKEN", appToken);
    return appToken;
  } catch (error) {
-    core.setFailed(`Failed to setup GitHub token: ${error}`);
+    core.setFailed(
      `Failed to setup GitHub token: ${error}.\n\nIf you instead wish to use this action with a custom GitHub token or custom GitHub app, provide a \`github_token\` in the \`uses\` section of the app in your workflow yml file.`,
    );
    process.exit(1);
  }
 }