ci: rename Claude OAuth secret to CC_OAUTH_TOKEN#702
Conversation
Same OAuth token, new secret name. The previous name CLAUDE_CODE_OAUTH_TOKEN collides with the env var that Claude Code itself recognizes as a credential, so any process in the pipeline that touches its own login state (the action child claude process, the runner-side claude install, or developer-machine tooling) can clobber, mask, or otherwise interact with that env. Renaming the GitHub Actions secret to CC_OAUTH_TOKEN avoids the magic-name interaction; the action input name (claude_code_oauth_token) is unchanged. Symptom: same workflow, same action SHA (v1.0.108 = 11a9dadd), same agent SDK (0.2.121), unchanged secret value produced 6 consecutive successful @claude runs (15:27-15:55 UTC) and then 4 consecutive failures (16:00-16:13 UTC) on 2026-04-28, all with SDK error "Could not resolve [authentication]" thrown from validateHeaders. Workflow variables are exhausted, so the remaining moving parts are the secret name itself and the OAuth token behind it. The secret has been re-registered under CC_OAUTH_TOKEN with a fresh token; this commit only flips the workflow reference.
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
|
Warning Rate limit exceeded
To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
1 participant
Summary
.github/workflows/claude.ymlto read the OAuth credential fromsecrets.CC_OAUTH_TOKENinstead ofsecrets.CLAUDE_CODE_OAUTH_TOKEN. Same token; new secret name.claude_code_oauth_token) is unchanged.Why
Same workflow file, same
claude-code-actionSHA (11a9dadd= v1.0.108), same agent SDK (0.2.121), and an unchanged secret value produced 6 consecutive successful@clauderuns (15:27–15:55 UTC) and then 4 consecutive failures (16:00–16:13 UTC) on 2026-04-28, all with the SDK errorCould not resolve [authentication]thrown fromvalidateHeaders. Failing run for reference: https://github.com/bootjp/elastickv/actions/runs/25063998905.Successful and failing runs both reach
App token successfully obtainedin the OIDC → GitHub App exchange, and both download the same action SHA + same SDK version. The crash is in the agent SDK'sAnthropicclient constructor: neitherapiKeynorauthTokenresolves. Workflow-side variables are exhausted, so the remaining moving parts are the secret name itself and the OAuth token behind it.The previous name
CLAUDE_CODE_OAUTH_TOKENcollides with the env var that Claude Code itself recognizes as a credential, so any process in the pipeline that touches its own login state (the action's childclaudeprocess, the runner-sideclaudeinstall, or developer-machine tooling that shares the same env can clobber, mask, or otherwise interact with that env. Renaming the GitHub Actions secret avoids the magic-name interaction.Behavior change
Risk
Test plan
Self-review
5-lens collapses to no-op: CI workflow change only, no data-loss / concurrency / performance / consistency surface, no test-coverage applicable.
PR_EOF
)