Skip to content

Accept claude-code-oauth-token as auth alternative to claude-api-key#107

Open
adelaidasofia wants to merge 1 commit into
anthropics:mainfrom
adelaidasofia:add-oauth-token-input
Open

Accept claude-code-oauth-token as auth alternative to claude-api-key#107
adelaidasofia wants to merge 1 commit into
anthropics:mainfrom
adelaidasofia:add-oauth-token-input

Conversation

@adelaidasofia

Copy link
Copy Markdown

Adds a second authentication path so users with a Max or Pro subscription can run this action without provisioning a separate Anthropic API key.

Changes

  • action.yml: claude-api-key is no longer required: true on its own. The new claude-code-oauth-token input is the alternative. Validation accepts either input. Both are passed as env vars (ANTHROPIC_API_KEY and CLAUDE_CODE_OAUTH_TOKEN respectively) so the underlying Claude CLI auto-selects the right auth method.
  • claudecode/github_action_audit.py: validation in check_claude_code_available accepts either env var.

Limitation

The optional Claude-AI false-positive filter still requires ANTHROPIC_API_KEY because it is a direct SDK call (not via the Claude CLI). OAuth-only users gracefully fall back to hard-rules filtering, which matches the existing behavior when use_claude_filtering is disabled.

Usage example

Mint a long-lived OAuth token locally:

claude setup-token

Set the secret on your repo, then in your workflow:

- uses: anthropics/claude-code-security-review@main
  with:
    claude-code-oauth-token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

Why

The companion action anthropics/claude-code-action already accepts claude_code_oauth_token as input. This brings claude-code-security-review to parity so subscription users can adopt both actions without a separate API-key billing path.

Thank you for considering.

Adds a second authentication path so users with a Max or Pro
subscription can run this action without provisioning a separate
Anthropic API key.

Changes:
- action.yml: claude-api-key is no longer 'required: true' on its own;
  the new claude-code-oauth-token input is the alternative. Validation
  now accepts either. Both are passed as env vars (ANTHROPIC_API_KEY
  and CLAUDE_CODE_OAUTH_TOKEN respectively) so the underlying claude
  CLI auto-selects the right auth method.
- claudecode/github_action_audit.py: validation in
  check_claude_code_available accepts either env var.

The optional Claude-AI false-positive filter still requires
ANTHROPIC_API_KEY (it's a direct SDK call, not via claude CLI).
OAuth-only users gracefully fall back to hard-rules filtering, which
matches existing behavior when use_claude_filtering is disabled.

Mint a long-lived OAuth token with: claude setup-token

Then in your workflow:
  - uses: anthropics/claude-code-security-review@main
    with:
      claude-code-oauth-token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
@adelaidasofia

Copy link
Copy Markdown
Author

Friendly bump. This is rebased and green. It accepts claude-code-oauth-token as an auth alternative to claude-api-key, which unblocks running the action on a Claude subscription instead of a metered API key. Happy to adjust if you would prefer a different approach. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant