ci: migrate claude-code-action workflows to Workload Identity Federation (anthropics#662)

zenexer-ant · web-flow · commit 3c30b020594d · 2026-05-24T14:44:59.000-07:00
Replaces the static ANTHROPIC_API_KEY repo secret with Workload Identity Federation across the 6 workflows that invoke claude-code-action: the action exchanges this job's GitHub OIDC token for a short-lived access token. The federation rule is bound to this repository (repository_id-pinned). - Adds permissions: id-token: write to all 6 (none had it). - Pins claude-code-action to v1.0.132 — the WIF inputs landed in v1.0.130; @v1 is a moving tag. - No anthropic_workspace_id — the rule targets the org's default workspace, so the input is optional. The two notebook-execution steps (notebook-quality.yml, notebook- tests.yml) that pass ANTHROPIC_API_KEY as an env var to nbconvert/ pytest are NOT migrated here — those need a separate inline OIDC exchange (TODO comments added). Both gracefully degrade when the secret is absent: notebook-tests has an explicit skip-guard, and notebook-quality catches per-notebook failures.
diff --git a/.github/workflows/claude-link-review.yml b/.github/workflows/claude-link-review.yml
@@ -23,6 +23,7 @@ jobs:
     permissions:
       contents: read
       pull-requests: write
+      id-token: write # Anthropic Workload Identity Federation
     steps:
       - name: Set PR number
         id: pr-number
@@ -66,9 +67,14 @@ jobs:
 
       - name: Run Claude Link Review
         if: steps.changed-files.outputs.has_files == 'true'
-        uses: anthropics/claude-code-action@v1
+        uses: anthropics/claude-code-action@bbfaf8e1ffe3e688f7ab65ceee78de241e24a238 # v1.0.132 (>=v1.0.130 for WIF inputs)
         with:
-          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          # Anthropic auth via Workload Identity Federation — the action
+          # exchanges this job's GitHub OIDC token (id-token: write above)
+          # for a short-lived access token instead of a static API key.
+          anthropic_federation_rule_id: fdrl_01SqmTwzmEE547mtaYN1mqHL
+          anthropic_organization_id: 1ec12c5c-6542-4da8-bf2f-c15919aef01c
+          anthropic_service_account_id: svac_01BHcCBa1UWFvNrHMqJjuaUZ
           github_token: ${{ secrets.GITHUB_TOKEN }}
           prompt: |
             /link-review
diff --git a/.github/workflows/claude-model-check.yml b/.github/workflows/claude-model-check.yml
@@ -17,6 +17,7 @@ on:
 permissions:
   contents: read
   pull-requests: write
+  id-token: write # Anthropic Workload Identity Federation
 
 jobs:
   model-check:
@@ -67,9 +68,14 @@ jobs:
 
       - name: Claude Model Validation
         if: steps.changed-files.outputs.has_files == 'true'
-        uses: anthropics/claude-code-action@v1
+        uses: anthropics/claude-code-action@bbfaf8e1ffe3e688f7ab65ceee78de241e24a238 # v1.0.132 (>=v1.0.130 for WIF inputs)
         with:
-          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          # Anthropic auth via Workload Identity Federation — the action
+          # exchanges this job's GitHub OIDC token (id-token: write above)
+          # for a short-lived access token instead of a static API key.
+          anthropic_federation_rule_id: fdrl_01SqmTwzmEE547mtaYN1mqHL
+          anthropic_organization_id: 1ec12c5c-6542-4da8-bf2f-c15919aef01c
+          anthropic_service_account_id: svac_01BHcCBa1UWFvNrHMqJjuaUZ
           github_token: ${{ secrets.GITHUB_TOKEN }}
           prompt: |
             /model-check
diff --git a/.github/workflows/claude-pr-review.yml b/.github/workflows/claude-pr-review.yml
@@ -24,6 +24,7 @@ jobs:
     permissions:
       contents: read
       pull-requests: write
+      id-token: write # Anthropic Workload Identity Federation
     steps:
       - name: Set PR number
         id: pr-number
@@ -41,9 +42,14 @@ jobs:
           ref: ${{ github.event_name == 'workflow_dispatch' && format('refs/pull/{0}/head', inputs.pr_number) || '' }}
 
       - name: Run Claude PR Review
-        uses: anthropics/claude-code-action@v1
+        uses: anthropics/claude-code-action@bbfaf8e1ffe3e688f7ab65ceee78de241e24a238 # v1.0.132 (>=v1.0.130 for WIF inputs)
         with:
-          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          # Anthropic auth via Workload Identity Federation — the action
+          # exchanges this job's GitHub OIDC token (id-token: write above)
+          # for a short-lived access token instead of a static API key.
+          anthropic_federation_rule_id: fdrl_01SqmTwzmEE547mtaYN1mqHL
+          anthropic_organization_id: 1ec12c5c-6542-4da8-bf2f-c15919aef01c
+          anthropic_service_account_id: svac_01BHcCBa1UWFvNrHMqJjuaUZ
           github_token: ${{ secrets.GITHUB_TOKEN }}
           prompt: |
             /review-pr-ci ${{ steps.pr-number.outputs.number }}
diff --git a/.github/workflows/lint-format.yml b/.github/workflows/lint-format.yml
@@ -17,6 +17,7 @@ on:
 permissions:
   contents: read
   pull-requests: write
+  id-token: write # Anthropic Workload Identity Federation
 
 jobs:
   lint-and-format:
@@ -117,9 +118,14 @@ jobs:
           github.event.pull_request.head.repo.full_name == github.repository &&
           (steps.format-check.outputs.has_format_issues == 'true' ||
            steps.lint-check.outputs.has_lint_issues == 'true')
-        uses: anthropics/claude-code-action@v1
+        uses: anthropics/claude-code-action@bbfaf8e1ffe3e688f7ab65ceee78de241e24a238 # v1.0.132 (>=v1.0.130 for WIF inputs)
         with:
-          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          # Anthropic auth via Workload Identity Federation — the action
+          # exchanges this job's GitHub OIDC token (id-token: write above)
+          # for a short-lived access token instead of a static API key.
+          anthropic_federation_rule_id: fdrl_01SqmTwzmEE547mtaYN1mqHL
+          anthropic_organization_id: 1ec12c5c-6542-4da8-bf2f-c15919aef01c
+          anthropic_service_account_id: svac_01BHcCBa1UWFvNrHMqJjuaUZ
           github_token: ${{ secrets.GITHUB_TOKEN }}
           prompt: |
             The linting and formatting checks found issues.
diff --git a/.github/workflows/notebook-quality.yml b/.github/workflows/notebook-quality.yml
@@ -14,6 +14,7 @@ on:
 permissions:
   contents: read
   pull-requests: write
+  id-token: write # Anthropic Workload Identity Federation
 
 jobs:
   validate-notebooks:
@@ -55,9 +56,14 @@ jobs:
 
       - name: Summarize validation issues with Claude
         if: github.event_name == 'pull_request' && steps.validate.outputs.has_issues == 'true'
-        uses: anthropics/claude-code-action@v1
+        uses: anthropics/claude-code-action@bbfaf8e1ffe3e688f7ab65ceee78de241e24a238 # v1.0.132 (>=v1.0.130 for WIF inputs)
         with:
-          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          # Anthropic auth via Workload Identity Federation — the action
+          # exchanges this job's GitHub OIDC token (id-token: write above)
+          # for a short-lived access token instead of a static API key.
+          anthropic_federation_rule_id: fdrl_01SqmTwzmEE547mtaYN1mqHL
+          anthropic_organization_id: 1ec12c5c-6542-4da8-bf2f-c15919aef01c
+          anthropic_service_account_id: svac_01BHcCBa1UWFvNrHMqJjuaUZ
           github_token: ${{ secrets.GITHUB_TOKEN }}
           prompt: |
             The notebook validation found these issues:
@@ -82,6 +88,11 @@ jobs:
           PR_NUMBER: ${{ github.event.pull_request.number }}
 
       # Only run API tests on main branch or for maintainers (costs money)
+      # TODO: this step still reads the static ANTHROPIC_API_KEY secret. The
+      # claude-code-action steps above use Workload Identity Federation; this
+      # direct-API step needs a separate inline OIDC mint+exchange (or the
+      # anthropic SDK's WIF env-var trio). Non-fatal in the meantime — each
+      # notebook execution failure is caught by the `|| echo` below.
       - name: Execute notebooks (API Testing)
         if: |
           github.event_name == 'push' || 
diff --git a/.github/workflows/notebook-tests.yml b/.github/workflows/notebook-tests.yml
@@ -16,6 +16,7 @@ on:
 permissions:
   contents: read
   pull-requests: write
+  id-token: write # Anthropic Workload Identity Federation
 
 jobs:
   test-notebooks:
@@ -126,9 +127,14 @@ jobs:
           github.event_name == 'pull_request' &&
           steps.changed-notebooks.outputs.has_notebooks == 'true' &&
           steps.structure-tests.outputs.has_failures == 'true'
-        uses: anthropics/claude-code-action@v1
+        uses: anthropics/claude-code-action@bbfaf8e1ffe3e688f7ab65ceee78de241e24a238 # v1.0.132 (>=v1.0.130 for WIF inputs)
         with:
-          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          # Anthropic auth via Workload Identity Federation — the action
+          # exchanges this job's GitHub OIDC token (id-token: write above)
+          # for a short-lived access token instead of a static API key.
+          anthropic_federation_rule_id: fdrl_01SqmTwzmEE547mtaYN1mqHL
+          anthropic_organization_id: 1ec12c5c-6542-4da8-bf2f-c15919aef01c
+          anthropic_service_account_id: svac_01BHcCBa1UWFvNrHMqJjuaUZ
           github_token: ${{ secrets.GITHUB_TOKEN }}
           prompt: |
             The notebook tests found issues in the changed notebooks.
@@ -157,6 +163,11 @@ jobs:
         env:
           PR_NUMBER: ${{ github.event.pull_request.number }}
 
+      # TODO: this step still reads the static ANTHROPIC_API_KEY secret. The
+      # claude-code-action step above uses Workload Identity Federation; this
+      # direct-API step needs a separate inline OIDC mint+exchange (or the
+      # anthropic SDK's WIF env-var trio). Gracefully skips when the secret
+      # is absent (the `[ -z "$ANTHROPIC_API_KEY" ]` guard below).
       - name: Run notebook execution tests (maintainers only)
         id: execution-tests
         if: |
