claude-code-action icon indicating copy to clipboard operation
claude-code-action copied to clipboard
Published 3 months ago verified publisher icon anthropics

OIDC token exchange rejects pull_request_target events

Open danielorbach opened this issue 4 months ago • 0 comments

Describe the bug The action code supports pull_request_target events (added in PR #759, issue #347), but the Anthropic OIDC token exchange endpoint (https://api.anthropic.com/api/github/github-app-token-exchange) rejects OIDC tokens from pull_request_target triggers with "Invalid OIDC token" error.

To Reproduce

  1. Create a workflow with pull_request_target trigger
  2. Ensure proper permissions (id-token: write, contents: read, pull-requests: write)
  3. Open a PR to trigger the workflow
  4. See error: Error: Failed to setup GitHub token: Error: Invalid OIDC token

Expected behavior The OIDC token exchange should succeed for pull_request_target events, just as it does for pull_request events.

Screenshots

  • Working (pull_request): https://github.com/danielorbach/go-component/actions/runs/19872285394/job/56950900231?pr=20
  • Failing (pull_request_target): https://github.com/danielorbach/go-component/actions/runs/19871734880

Workflow yml file

on:
  pull_request_target:
    types: [opened, synchronize]
    paths:
      - '.github/workflows/**'

permissions:
  id-token: write
  contents: read
  pull-requests: write

jobs:
  review:
    if: github.actor == 'dependabot[bot]'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: anthropics/claude-code-action@v1
        with:
          prompt: "Review this PR"
          allowed_bots: "dependabot[bot]"
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}

API Provider

  • [x] Anthropic First-Party API (default)
  • [ ] AWS Bedrock
  • [ ] GCP Vertex

Additional context This is in the context of reviewing Dependabot PRs that modify workflow files. Using pull_request_target is necessary because:

  1. When Dependabot updates workflow files, using pull_request would run the modified (untrusted) workflow
  2. pull_request_target runs the trusted workflow from the base branch

Security-wise, forks are not relevant in this use case because the workflow is guarded with github.actor == 'dependabot[bot]', ensuring only Dependabot can trigger it.

GitHub Actions OIDC tokens include an event_name claim. The Anthropic backend appears to validate this against an allowlist that doesn't include pull_request_target.

Workaround Use pull_request trigger instead (with the limitation that workflow file changes will run the modified workflow, which may be a security concern).

Related

  • PR #759 - Added pull_request_target support to the action code
  • Issue #347 - Original request for pull_request_target support

danielorbach avatar Dec 02 '25 20:12 danielorbach