Skip to content

chore(deps): update anthropics/claude-code-action action to v1.0.77#445

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/anthropics-claude-code-action-1.x
Open

chore(deps): update anthropics/claude-code-action action to v1.0.77#445
renovate[bot] wants to merge 1 commit intomainfrom
renovate/anthropics-claude-code-action-1.x

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Mar 18, 2026
edited
Loading

This PR contains the following updates:

Package Type Update Change
anthropics/claude-code-action action patch v1.0.72v1.0.77

Release Notes

anthropics/claude-code-action (anthropics/claude-code-action)

v1.0.77

Compare Source

Subprocess environment scrubbing for untrusted-input workflows

Workflows that configure allowed_non_write_users now automatically get CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1, which makes Claude Code (v2.1.79+) strip Anthropic and cloud provider credentials from the environment of subprocesses it spawns (Bash tool, hooks, MCP stdio servers). The parent Claude process keeps these vars for its own API calls — only child subprocess environments are scrubbed.

Why: Workflows that process untrusted input (issue triage, PR review from non-write users) are exposed to prompt injection. A malicious issue body could trick Claude into running a Bash command that reads $ANTHROPIC_API_KEY via shell expansion and leaks it through an observable side channel. Scrubbing the subprocess environment removes the read primitive entirely.

What's scrubbed: Anthropic auth tokens, cloud provider credentials, GitHub Actions OIDC and runtime tokens, OTEL auth headers.

What's kept: GITHUB_TOKEN / GH_TOKEN — so wrapper scripts can still call the GitHub API.

Opt out: Set CLAUDE_CODE_SUBPROCESS_ENV_SCRUB: "0" at the job or step level if your workflow legitimately needs a subprocess to inherit these credentials.

No action required for most users — if you've configured allowed_non_write_users, scrubbing is now on automatically. If your workflow breaks because a subprocess expected inherited credentials, re-inject them explicitly (e.g., via MCP server env: config) or use the opt-out.

What's Changed

Full Changelog: anthropics/claude-code-action@v1.0.76...v1.0.77

v1.0.76

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.76

v1.0.75

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.75

v1.0.74

Compare Source

What's Changed

Full Changelog: anthropics/claude-code-action@v1...v1.0.74

v1.0.73

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.73

Configuration

📅 Schedule: Branch creation - "after 01:00 and before 07:00 every weekday" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions github-actions bot added the size/XS Extra small PR: < 100 lines changed label Mar 18, 2026
@renovate renovate bot force-pushed the renovate/anthropics-claude-code-action-1.x branch from ca63d33 to ddb20fe Compare March 18, 2026 18:13
@renovate renovate bot changed the title chore(deps): update anthropics/claude-code-action action to v1.0.73 chore(deps): update anthropics/claude-code-action action to v1.0.74 Mar 18, 2026
@github-actions github-actions bot added size/XS Extra small PR: < 100 lines changed and removed size/XS Extra small PR: < 100 lines changed labels Mar 18, 2026
@renovate renovate bot changed the title chore(deps): update anthropics/claude-code-action action to v1.0.74 chore(deps): update anthropics/claude-code-action action to v1.0.75 Mar 19, 2026
@renovate renovate bot force-pushed the renovate/anthropics-claude-code-action-1.x branch from ddb20fe to 70dd4dc Compare March 19, 2026 01:27
@github-actions github-actions bot added size/XS Extra small PR: < 100 lines changed and removed size/XS Extra small PR: < 100 lines changed labels Mar 19, 2026
@renovate renovate bot force-pushed the renovate/anthropics-claude-code-action-1.x branch from 70dd4dc to d16240f Compare March 21, 2026 01:47
@renovate renovate bot changed the title chore(deps): update anthropics/claude-code-action action to v1.0.75 chore(deps): update anthropics/claude-code-action action to v1.0.76 Mar 21, 2026
@github-actions github-actions bot added size/XS Extra small PR: < 100 lines changed and removed size/XS Extra small PR: < 100 lines changed labels Mar 21, 2026
@renovate renovate bot changed the title chore(deps): update anthropics/claude-code-action action to v1.0.76 chore(deps): update anthropics/claude-code-action action to v1.0.77 Mar 23, 2026
@renovate renovate bot force-pushed the renovate/anthropics-claude-code-action-1.x branch from d16240f to 929d2fa Compare March 23, 2026 12:48
@github-actions github-actions bot added size/XS Extra small PR: < 100 lines changed and removed size/XS Extra small PR: < 100 lines changed labels Mar 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies size/XS Extra small PR: < 100 lines changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants