summaryrefslogtreecommitdiff
path: root/.github/workflows/ai-validation.yml
diff options
context:
space:
mode:
authorYuriy Andamasov <yuriy@vyos.io>2026-05-11 11:33:51 +0300
committerGitHub <noreply@github.com>2026-05-11 11:33:51 +0300
commit65a00dfcf8742a50f18f29fb674d3ebbd7e0cc7c (patch)
tree84c0fe7be91766fd4c1be4d28246c457e1c64c49 /.github/workflows/ai-validation.yml
parent0adac372f0147177ad88af503f881cd53b59812f (diff)
parente83cb0f10e2b556abe3d098e7096a842bb2327be (diff)
downloadvyos-documentation-65a00dfcf8742a50f18f29fb674d3ebbd7e0cc7c.tar.gz
vyos-documentation-65a00dfcf8742a50f18f29fb674d3ebbd7e0cc7c.zip
Merge pull request #1985 from vyos/yuriy/ai-validation-claude-action-github-token-rolling
ci(ai-validation): pass github_token to claude-code-action (skip OIDC exchange)
Diffstat (limited to '.github/workflows/ai-validation.yml')
-rw-r--r--.github/workflows/ai-validation.yml19
1 files changed, 19 insertions, 0 deletions
diff --git a/.github/workflows/ai-validation.yml b/.github/workflows/ai-validation.yml
index 600e4e8b..1f810250 100644
--- a/.github/workflows/ai-validation.yml
+++ b/.github/workflows/ai-validation.yml
@@ -431,6 +431,25 @@ jobs:
uses: anthropics/claude-code-action@476e359e6203e73dad705c8b322e333fabbd7416 # v1.0.119
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+ # Pass the workflow's default GITHUB_TOKEN explicitly. Without
+ # this the action mints an OIDC token (audience
+ # `claude-code-github-action`) and exchanges it at
+ # api.anthropic.com/api/github/github-app-token-exchange for
+ # an Anthropic-managed App token — which fails with "Invalid
+ # OIDC token" on repos where Anthropic-side federation isn't
+ # configured. Providing github_token bypasses the exchange
+ # entirely (the action checks process.env.OVERRIDE_GITHUB_TOKEN
+ # first; see anthropics/claude-code-action src/github/token.ts
+ # setupGitHubToken()). github.token here is auto-scoped to the
+ # current PR repo with the validate job's permissions block
+ # (pull-requests: write + issues: write + contents: read),
+ # which is exactly what the action needs to post inline review
+ # comments and a summary comment. steps.app.outputs.token is
+ # NOT suitable here: that token is scoped to the VyOS-Networks
+ # org repos (vyos-1x, vyos-docs-opus-reviewer) for the reviewer-
+ # source / vyos-1x checkouts above, and has no write access
+ # on vyos/vyos-documentation PRs.
+ github_token: ${{ github.token }}
# claude-code-action@v1 removed the top-level `model` input; CLI
# flags including --model now travel via `claude_args` (see the
# claude_args: block at the bottom of this step).