ci(common): setup git token to clone marketplace in claude action (#1820)

enitrat · web-flow · commit 6b48847273d3 · 2026-01-22T12:34:24.000+01:00
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
@@ -11,6 +11,13 @@ name: claude-review
 # Security: Only users with write/admin permissions can trigger Claude.
 # External contributors (fork PRs) are automatically blocked by the action.
 # See: https://github.com/anthropics/claude-code-action/blob/main/src/github/validation/permissions.ts
+#
+# Secrets required:
+# - CLAUDE_CODE_OAUTH_TOKEN: OAuth token from `claude setup-token`
+#
+# Note: Private marketplaces require git auth in base-action mode.
+# We obtain the Claude GitHub App token and configure git to use it for https clones,
+# so the action can clone marketplaces directly.
 
 on:
   issue_comment:
@@ -42,6 +49,37 @@ jobs:
       - name: Install uv
         uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b
 
+      - name: Get Claude App token
+        id: claude-token
+        run: |
+          # Get OIDC token
+          OIDC_RESPONSE=$(curl -s -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+            "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=claude-code-github-action")
+          OIDC_TOKEN=$(echo "$OIDC_RESPONSE" | jq -r '.value')
+
+          if [ -z "$OIDC_TOKEN" ] || [ "$OIDC_TOKEN" = "null" ]; then
+            echo "❌ Failed to get OIDC token"
+            exit 1
+          fi
+
+          # Exchange for GitHub App token
+          APP_RESPONSE=$(curl -s -X POST https://api.anthropic.com/api/github/github-app-token-exchange \
+            -H "Authorization: Bearer $OIDC_TOKEN")
+          APP_TOKEN=$(echo "$APP_RESPONSE" | jq -r '.token // .app_token')
+
+          if [ -z "$APP_TOKEN" ] || [ "$APP_TOKEN" = "null" ]; then
+            echo "❌ Failed to exchange for App token"
+            exit 1
+          fi
+
+          echo "token=$APP_TOKEN" >> "$GITHUB_OUTPUT"
+
+      - name: Configure git for marketplace
+        run: |
+          git config --global url."https://x-access-token:${GITHUB_APP_TOKEN}@github.com/".insteadOf "https://github.com/"
+        env:
+          GITHUB_APP_TOKEN: ${{ steps.claude-token.outputs.token }}
+
       - name: Run Claude Code
         uses: anthropics/claude-code-action@a017b830c03e23789b11fb69ed571ea61c12e45c # 2026-01-16
         with:
@@ -50,4 +88,5 @@ jobs:
           plugins: |
             project-manager@zama-marketplace
             zama-developer@zama-marketplace
-          # Prompt: empty string → action extracts text after @claude automatically
+          # Prompt: empty string for comments (action extracts text after @claude)
+          prompt: ""
