Use workload identity federation for Claude auth in CI workflows (#984)

ashwin-ant · web-flow · commit 3471a9fe422c · 2026-05-22T15:57:41.000-07:00
## What Switches this repository's Claude automation workflows from the static `ANTHROPIC_API_KEY` secret to [Workload Identity Federation](https://platform.claude.com/docs/en/manage-claude/workload-identity-federation): the workflow's GitHub OIDC token is exchanged for a short-lived Claude API access token at runtime, so no long-lived API key needs to be stored in the repository. | Workflow | Change | | --- | --- | | `claude.yml` | `anthropic_api_key` → federation inputs | | `claude-code-review.yml` | `anthropic_api_key` → federation inputs | | `claude-issue-triage.yml` | `anthropic_api_key` → federation inputs, plus `id-token: write` (the other two already request it) | | `build-and-publish.yml` | `anthropic_api_key` → federation inputs in the changelog step, plus `id-token: write` on the `publish` job | | `auto-release.yml`, `publish.yml` | grant `id-token: write` to the jobs that call the `build-and-publish.yml` reusable workflow (a called workflow can only use permissions its caller grants) | This uses the federation support shipped in [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) (`docs/setup.md#workload-identity-federation`, anthropics/claude-code-action#1338). ## How it activates The federation rule, organization, service account, and workspace IDs are read from repository **variables** (`vars.ANTHROPIC_FEDERATION_RULE_ID`, `vars.ANTHROPIC_ORGANIZATION_ID`, `vars.ANTHROPIC_SERVICE_ACCOUNT_ID`, `vars.ANTHROPIC_WORKSPACE_ID`). These are identifiers, not credentials. Until a repo admin sets them, the action fails fast at env validation with a clear "authentication required" message — so this PR is safe to merge ahead of that, and switching over is a settings change rather than another PR. The `ANTHROPIC_API_KEY` secret is intentionally left in place until the federated path has produced green runs; rollback is reverting this PR. ## Behavior notes - `claude-code-review.yml` runs on `pull_request`. Fork PRs don't receive `id-token: write` (GitHub withholds it the same way it withholds secrets), so reviews continue to run only for same-repo PRs — identical to today's behavior with the secret. - `test.yml` is deliberately **not** migrated here: it passes `ANTHROPIC_API_KEY` directly to pytest and to `docker run` for the SDK under test. Migrating that path means mounting an identity token into the container rather than swapping a workflow input, so it needs its own treatment.
diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
@@ -47,6 +47,8 @@ jobs:
     needs: check-trigger
     permissions:
       contents: write
+      # Required to mint the OIDC token exchanged for a Claude API access token (Workload Identity Federation)
+      id-token: write
     uses: ./.github/workflows/build-and-publish.yml
     with:
       version: ${{ needs.check-trigger.outputs.version }}
diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml
@@ -46,6 +46,8 @@ jobs:
     environment: production
     permissions:
       contents: write
+      # Required to mint the OIDC token exchanged for a Claude API access token (Workload Identity Federation)
+      id-token: write
     env:
       VERSION: ${{ inputs.version }}
     steps:
@@ -186,7 +188,13 @@ jobs:
         uses: anthropics/claude-code-action@v1
         with:
           prompt: "/generate-changelog new version: ${{ env.VERSION }}, old version: ${{ inputs.previous_tag }}"
-          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          # Authenticate to the Claude API via Workload Identity Federation
+          # (the workflow's OIDC token is exchanged for a short-lived access
+          # token) instead of a static API key.
+          anthropic_federation_rule_id: ${{ vars.ANTHROPIC_FEDERATION_RULE_ID }}
+          anthropic_organization_id: ${{ vars.ANTHROPIC_ORGANIZATION_ID }}
+          anthropic_service_account_id: ${{ vars.ANTHROPIC_SERVICE_ACCOUNT_ID }}
+          anthropic_workspace_id: ${{ vars.ANTHROPIC_WORKSPACE_ID }}
           github_token: ${{ secrets.GITHUB_TOKEN }}
           claude_args: |
             --model claude-opus-4-6
diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
@@ -31,7 +31,13 @@ jobs:
       id: claude-review
       uses: anthropics/claude-code-action@v1
       with:
-        anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+        # Authenticate to the Claude API via Workload Identity Federation
+        # (the workflow's OIDC token is exchanged for a short-lived access
+        # token) instead of a static API key.
+        anthropic_federation_rule_id: ${{ vars.ANTHROPIC_FEDERATION_RULE_ID }}
+        anthropic_organization_id: ${{ vars.ANTHROPIC_ORGANIZATION_ID }}
+        anthropic_service_account_id: ${{ vars.ANTHROPIC_SERVICE_ACCOUNT_ID }}
+        anthropic_workspace_id: ${{ vars.ANTHROPIC_WORKSPACE_ID }}
 
         claude_args: --model claude-opus-4-6
 
diff --git a/.github/workflows/claude-issue-triage.yml b/.github/workflows/claude-issue-triage.yml
@@ -11,6 +11,8 @@ jobs:
     permissions:
       contents: read
       issues: write
+      # Required to mint the OIDC token exchanged for a Claude API access token (Workload Identity Federation)
+      id-token: write
 
     steps:
       - name: Checkout repository
@@ -24,6 +26,12 @@ jobs:
           CLAUDE_CODE_SCRIPT_CAPS: '{"edit-issue-labels.sh":2}'
         with:
           prompt: "/label-issue REPO: ${{ github.repository }} ISSUE_NUMBER: ${{ github.event.issue.number }}"
-          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          # Authenticate to the Claude API via Workload Identity Federation
+          # (the workflow's OIDC token is exchanged for a short-lived access
+          # token) instead of a static API key.
+          anthropic_federation_rule_id: ${{ vars.ANTHROPIC_FEDERATION_RULE_ID }}
+          anthropic_organization_id: ${{ vars.ANTHROPIC_ORGANIZATION_ID }}
+          anthropic_service_account_id: ${{ vars.ANTHROPIC_SERVICE_ACCOUNT_ID }}
+          anthropic_workspace_id: ${{ vars.ANTHROPIC_WORKSPACE_ID }}
           allowed_non_write_users: "*" # Required for issue triage workflow, if users without repo write access create issues
           github_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
@@ -43,7 +43,13 @@ jobs:
         id: claude
         uses: anthropics/claude-code-action@v1
         with:
-          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          # Authenticate to the Claude API via Workload Identity Federation
+          # (the workflow's OIDC token is exchanged for a short-lived access
+          # token) instead of a static API key.
+          anthropic_federation_rule_id: ${{ vars.ANTHROPIC_FEDERATION_RULE_ID }}
+          anthropic_organization_id: ${{ vars.ANTHROPIC_ORGANIZATION_ID }}
+          anthropic_service_account_id: ${{ vars.ANTHROPIC_SERVICE_ACCOUNT_ID }}
+          anthropic_workspace_id: ${{ vars.ANTHROPIC_WORKSPACE_ID }}
 
           # Optional: Customize the trigger phrase (default: @claude)
           # trigger_phrase: "/claude"
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -76,6 +76,8 @@ jobs:
     needs: [test, lint, get-previous-tag]
     permissions:
       contents: write
+      # Required to mint the OIDC token exchanged for a Claude API access token (Workload Identity Federation)
+      id-token: write
     uses: ./.github/workflows/build-and-publish.yml
     with:
       version: ${{ github.event.inputs.version }}
