diff options
| author | Yuriy Andamasov <yuriy@vyos.io> | 2026-05-11 11:29:52 +0300 |
|---|---|---|
| committer | Yuriy Andamasov <yuriy@vyos.io> | 2026-05-11 11:29:52 +0300 |
| commit | e83cb0f10e2b556abe3d098e7096a842bb2327be (patch) | |
| tree | 1f6e94a0ba43f28d26092f25fa966dc5d92b1997 /.github/workflows/ai-validation.yml | |
| parent | 89a90e1880e39b1a2ebf08d265f76dd16aa193f6 (diff) | |
| download | vyos-documentation-e83cb0f10e2b556abe3d098e7096a842bb2327be.tar.gz vyos-documentation-e83cb0f10e2b556abe3d098e7096a842bb2327be.zip | |
ci(ai-validation): pass github_token to claude-code-action (skip OIDC exchange)
Second smoke verify on PR #1977 (run 25658927427) reached Pass 2 but
failed with "Action failed with error: Invalid OIDC token". Diagnosis:
The action (anthropics/claude-code-action@v1) mints an OIDC token with
audience `claude-code-github-action` and POSTs it to
`api.anthropic.com/api/github/github-app-token-exchange` to receive
an Anthropic-managed GitHub App token for posting back to the PR.
The endpoint validated our OIDC token and rejected it ("Invalid
OIDC token") — this happens on repos where Anthropic-side OIDC
federation hasn't been provisioned for the GitHub org.
Bypass the exchange entirely by providing `github_token` to the
action: `setupGitHubToken()` in src/github/token.ts checks
`process.env.OVERRIDE_GITHUB_TOKEN` first and uses it directly if
set, skipping OIDC.
`${{ github.token }}` is auto-scoped to the current PR repo and gets
the validate job's permissions (pull-requests: write,
issues: write, contents: read) — exactly what the action needs.
`steps.app.outputs.token` (our App token) is NOT suitable here: it's
scoped to the VyOS-Networks org (vyos-1x, vyos-docs-opus-reviewer)
for the earlier reviewer-source / vyos-1x checkouts, and has no
write access on vyos/vyos-documentation PRs.
Side effect: comments now post as github-actions[bot] (the workflow's
own bot identity) rather than as claude[bot] (the Anthropic-managed
GitHub App). Acceptable trade-off, and arguably preferable — the
inline-review identity is now visibly the VyOS workflow rather than
an external bot.
Mirrored byte-identically across rolling/circinus/sagitta + canonical
PR (folded into the still-open VyOS-Networks/vyos-docs-opus-reviewer#17).
Diffstat (limited to '.github/workflows/ai-validation.yml')
| -rw-r--r-- | .github/workflows/ai-validation.yml | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/.github/workflows/ai-validation.yml b/.github/workflows/ai-validation.yml index 600e4e8b..1f810250 100644 --- a/.github/workflows/ai-validation.yml +++ b/.github/workflows/ai-validation.yml @@ -431,6 +431,25 @@ jobs: uses: anthropics/claude-code-action@476e359e6203e73dad705c8b322e333fabbd7416 # v1.0.119 with: anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} + # Pass the workflow's default GITHUB_TOKEN explicitly. Without + # this the action mints an OIDC token (audience + # `claude-code-github-action`) and exchanges it at + # api.anthropic.com/api/github/github-app-token-exchange for + # an Anthropic-managed App token — which fails with "Invalid + # OIDC token" on repos where Anthropic-side federation isn't + # configured. Providing github_token bypasses the exchange + # entirely (the action checks process.env.OVERRIDE_GITHUB_TOKEN + # first; see anthropics/claude-code-action src/github/token.ts + # setupGitHubToken()). github.token here is auto-scoped to the + # current PR repo with the validate job's permissions block + # (pull-requests: write + issues: write + contents: read), + # which is exactly what the action needs to post inline review + # comments and a summary comment. steps.app.outputs.token is + # NOT suitable here: that token is scoped to the VyOS-Networks + # org repos (vyos-1x, vyos-docs-opus-reviewer) for the reviewer- + # source / vyos-1x checkouts above, and has no write access + # on vyos/vyos-documentation PRs. + github_token: ${{ github.token }} # claude-code-action@v1 removed the top-level `model` input; CLI # flags including --model now travel via `claude_args` (see the # claude_args: block at the bottom of this step). |
