From 0359cecab1dae5a44d86b3eb60bcd8064bc64f18 Mon Sep 17 00:00:00 2001
From: jportner <jportner@anthropic.com>
Date: Wed, 6 May 2026 03:59:22 +0000
Subject: [PATCH 1/2] Pin GitHub Actions to commit SHAs

---
 .github/workflows/pypi-quota-check.yml         | 2 +-
 .github/workflows/slack-issue-notification.yml | 2 +-
 .github/workflows/test.yml                     | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/pypi-quota-check.yml b/.github/workflows/pypi-quota-check.yml
index 24900be78..c766aa96a 100644
--- a/.github/workflows/pypi-quota-check.yml
+++ b/.github/workflows/pypi-quota-check.yml
@@ -38,7 +38,7 @@ jobs:
 
       - name: Post to Slack
         if: steps.quota.outputs.alert == 'true' && github.event_name != 'pull_request'
-        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # 2.1.1
+        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1 (sha-pinned)
         with:
           method: chat.postMessage
           token: ${{ secrets.SLACK_BOT_TOKEN }}
diff --git a/.github/workflows/slack-issue-notification.yml b/.github/workflows/slack-issue-notification.yml
index 675dd939c..0360b1c3b 100644
--- a/.github/workflows/slack-issue-notification.yml
+++ b/.github/workflows/slack-issue-notification.yml
@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Post to Slack
-        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # 2.1.1
+        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1 (sha-pinned)
         with:
           method: chat.postMessage
           token: ${{ secrets.SLACK_BOT_TOKEN }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 806845b4c..f7fcf0314 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -31,7 +31,7 @@ jobs:
           python -m pytest tests/ -v --cov=claude_agent_sdk --cov-report=xml
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0 (sha-pinned)
         with:
           file: ./coverage.xml
           fail_ci_if_error: false

From d079f3182c62a29bdfa0d9e89fef4f92dbb792bd Mon Sep 17 00:00:00 2001
From: jportner <jportner@anthropic.com>
Date: Wed, 6 May 2026 15:26:51 +0000
Subject: [PATCH 2/2] fix(claude.yml): merge duplicate claude_args keys
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The with: block had two claude_args keys (lines 48 and 57), which is
invalid YAML — both ruamel and GitHub Actions reject it. The workflow
has been failing to parse since #556 (2026-02-07). Merge both intended
values (--model and --allowed-tools) into a single block scalar.
---
 .github/workflows/claude.yml | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
index b304caa87..d373fb840 100644
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -45,17 +45,16 @@ jobs:
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
 
-          claude_args: --model claude-opus-4-6
-          
           # Optional: Customize the trigger phrase (default: @claude)
           # trigger_phrase: "/claude"
-          
+
           # Optional: Trigger when specific user is assigned to an issue
           # assignee_trigger: "claude-bot"
-          
-          # Allow Claude to run linters, typecheckers, and tests
-          claude_args: |
-            --allowed-tools "Bash(python -m ruff check:*),Bash(python -m ruff format:*),Bash(python -m mypy:*),Bash(python -m pytest:*)"
 
-          # Optional: Add custom instructions for Claude to customize its behavior for your project
-          # claude_args: --system-prompt "Follow our coding standards"
\ No newline at end of file
+          # CLI args: model selection + allowed tools for lint/typecheck/tests.
+          # Add further flags (e.g. --system-prompt "...") to this block rather
+          # than a second claude_args key — duplicate YAML keys are rejected by
+          # GitHub Actions.
+          claude_args: |
+            --model claude-opus-4-6
+            --allowed-tools "Bash(python -m ruff check:*),Bash(python -m ruff format:*),Bash(python -m mypy:*),Bash(python -m pytest:*)"
\ No newline at end of file