Support keyless / environment-based authentication (Workload Identity Federation)#116
Open
ralphpina wants to merge 1 commit into
Open
Support keyless / environment-based authentication (Workload Identity Federation)#116ralphpina wants to merge 1 commit into
ralphpina wants to merge 1 commit into
Conversation
Make `claude-api-key` optional so the action can authenticate via credentials the Anthropic SDK and Claude CLI resolve from the environment -- Workload Identity Federation, ANTHROPIC_AUTH_TOKEN, Bedrock/Vertex, etc. -- instead of requiring a static API key. - action.yml: claude-api-key required:false; unset an empty ANTHROPIC_API_KEY so it does not outrank keyless auth in the SDK. - claude_api_client.py: fall through to Anthropic() (SDK auto-detect) when no key is provided, instead of raising. - github_action_audit.py: accept a static credential OR WIF env in validate_claude_available(). Providing claude-api-key behaves exactly as before; this only adds a fallback when it is absent. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Makes
claude-api-keyoptional so the action can authenticate keylessly via credentials the Anthropic SDK and Claude CLI already resolve from the environment — most importantly Workload Identity Federation (WIF), but alsoANTHROPIC_AUTH_TOKEN, Amazon Bedrock / Google Vertex, or anantprofile.Motivation
Organizations moving off static Anthropic API keys (to WIF / short-lived OIDC-exchanged tokens) can already run
anthropics/claude-code-actionkeylessly — but notclaude-code-security-review. It requiresclaude-api-keyand hard-fails without it, which forces a static key to stay in repo secrets. On a repo that otherwise runs fully keyless, this one action blocks revoking the last static key.What changed (all backward compatible)
action.yml—claude-api-keyis nowrequired: false. When no key is provided, the scan step unsets the (empty)ANTHROPIC_API_KEY— an empty-but-set value otherwise takes precedence over keyless auth in the SDK and breaks it.claudecode/claude_api_client.py— when no explicit/env key is present, constructAnthropic()with noapi_keyand let the SDK auto-detect environment credentials, instead of raisingValueError.claudecode/github_action_audit.py—validate_claude_available()accepts a static credential or WIF env (ANTHROPIC_FEDERATION_RULE_ID/ANTHROPIC_ORGANIZATION_ID/ANTHROPIC_SERVICE_ACCOUNT_ID) /ANTHROPIC_AUTH_TOKEN, with an updated error message.Providing
claude-api-keybehaves exactly as before — this only adds a fallback path when it's absent.Using keyless auth (WIF example)
The action deliberately does not mint the OIDC token itself (keeps it minimal and provider-agnostic); the calling workflow sets the WIF env before invoking it:
Testing
py_compileon both changed modules ✅;action.ymlparses as valid YAML ✅.Anthropic(api_key=...)construction, same validation result).🤖 Generated with Claude Code