Claude session has access to OIDC token request environment variables, allowing it to mint new tokens #1010
Description
Describe the bug
When id-token: write permission is enabled in workflows, the Claude session inherits the ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_ID_TOKEN_REQUEST_TOKEN environment variables. This allows the Claude session to call GitHub's OIDC token endpoint and mint new tokens. The
id-token: write permission is intended for the action to authenticate itself, not for the Claude session to generate arbitrary tokens.
To Reproduce
Steps to reproduce the behavior:
- Create a workflow with
permissions: id-token: write - Trigger the Claude Code Action
- The Claude session will inherit
ACTIONS_ID_TOKEN_REQUEST_URLandACTIONS_ID_TOKEN_REQUEST_TOKENfromprocess.env - Claude can potentially use these to mint new OIDC tokens
Expected behavior
The Claude session should not have access to OIDC token request credentials. These variables should be stripped from the environment before passing it to the Claude SDK.
Screenshots
N/A
Workflow yml file
Any workflow using the default OIDC authentication (not providing github_token input) is affected:
permissions:
id-token: write
contents: write
pull-requests: write
jobs:
claude:
runs-on: ubuntu-latest
steps:
- uses: anthropics/claude-code-action@main
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}API Provider
[x] Anthropic First-Party API (default)
[x] AWS Bedrock
[x] GCP Vertex
(All providers are affected as this is an environment variable issue)