Skip to content

fix(ci): remove pull_request trigger from Claude workflow to fix OIDC token failure#486

Merged
kimocoder merged 2 commits intomasterfrom
copilot/fix-oidc-token-fetch-failure
Apr 9, 2026
Merged

fix(ci): remove pull_request trigger from Claude workflow to fix OIDC token failure#486
kimocoder merged 2 commits intomasterfrom
copilot/fix-oidc-token-fetch-failure

Conversation

Copy link
Copy Markdown

Copilot AI commented Apr 9, 2026
edited
Loading

anthropics/claude-code-action@v1 was failing on every PR open/sync event because GitHub does not expose ACTIONS_ID_TOKEN_REQUEST_URL to workflows triggered by pull_request (a platform-level security restriction — id-token: write permission alone is insufficient in this context).

Change

  • Removed the pull_request: [opened, synchronize] trigger from .github/workflows/claude.yml
  • Workflow now only runs on issue_comment and pull_request_review_comment events, which run in a trusted context where OIDC tokens are available
 on:
-  pull_request:
-    types: [opened, synchronize]
   issue_comment:
     types: [created]
   pull_request_review_comment:
     types: [created]

No functional loss — the workflow already gates execution on trigger_phrase: "@claude", so it was always comment-driven by design.

Original prompt

The GitHub Actions workflow in repository kimocoder/wifite2 is failing for PR job 70624417199 in run 23982500564 (PR #479). The failing workflow file is .github/workflows/claude.yml.

Observed failure from logs:

  • anthropics/claude-code-action@v1 fails to fetch an OIDC token.
  • Error includes: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable
  • The action retries and then exits with: Could not fetch an OIDC token. Did you remember to add id-token: write to your workflow permissions?

Relevant context:

  • The workflow already includes permissions: id-token: write contents: write pull-requests: write issues: write
  • The workflow is currently triggered on:
    • pull_request with types [opened, synchronize]
    • issue_comment with types [created]
    • pull_request_review_comment with types [created]
  • The Claude action step is:
    • uses: anthropics/claude-code-action@v1
    • with anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} and comment-trigger configuration.

Goal:
Create a pull request that fixes the workflow so this failure no longer occurs.

Preferred fix:

  • Update .github/workflows/claude.yml so the Claude Code action does not run in the failing pull_request context where the OIDC env vars are unavailable.
  • Best fix is to remove the pull_request trigger entirely and keep only comment-driven triggers (issue_comment and pull_request_review_comment), since the workflow is already configured with trigger_phrase: "@claude" and is naturally comment-driven.

Alternative acceptable fix:

  • If needed, preserve the pull_request trigger but ensure the Claude action step is skipped when github.event_name == 'pull_request'.

Implementation requirements:

  • Modify only .github/workflows/claude.yml unless another tiny workflow-only change is clearly necessary.
  • Keep the existing prompt and Claude settings intact.
  • Make the smallest safe change.
  • Open a PR with a concise title describing the workflow fix.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: Please find a solution for this failing job. Use the logs, job definition, and any referenced files where the failure occurred. Keep your response focused on the solution and include code suggestions when appropriate.

Assistant: The failure is in the workflow itself, not in repo code.

Root cause

The job fails while running anthropics/claude-code-action@v1 because it cannot obtain an OIDC token:

  • Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable
  • Could not fetch an OIDC token. Did you remember to add id-token: write to your workflow permissions?

Your workflow already includes id-token: write in .github/workflows/claude.yml at lines 14–18, so the real issue is that this run is from a pull_request context where GitHub is not exposing the OIDC request env vars to the action in this scenario.

The failing step is the action usage at lines 24–27.

Fix

Avoid running this action on pull_request events, or switch to an event that has the required token context, such as issue_comment / review-comment only.

Recommended workflow change

Update .github/workflows/claude.yml so the Claude job only runs for comment-triggered events:

name: Claude Code

on:
  issue_comment:
    types: [created]
  pull_request_review_comment:
    types: [created]

jobs:
  claude:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: write
      pull-requests: write
      issues: write

    steps:
      - name: Checkout repo
        uses: actions/checkout@v6.0.2

      - name: Run Claude Code Action
        uses: anthropics/claude-code-action@v1
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          prompt: |
            You are an expert security researcher reviewing changes to wifite2 (a Python WiFi auditing tool).
            Review this pull request or comment for:
            - bugs
            - security issues
            - code quality problems
            - performance improvements
            Focus especially on Python code. Be concise but thorough. If you can fix something, do it.
          claude_args: |
            --max-turns 8
          trigger_phrase: "@claude"
          use_sticky_comment: true
          include_fix_links: true
          track_progress: true

If you must keep pull_request

Gate the step so it skips on PR events:

- name: Run Claude Code Action
  if: github.event_name != 'pull_request'
  uses: anthropics/claude-code-action@v1
  with:
    anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}

Why this is the right fix

  • The logs show the action fails before reviewing any ...

This pull request was created from Copilot chat.

Copilot AI changed the title [WIP] Fix OIDC token fetch failure in workflow fix(ci): remove pull_request trigger from Claude workflow to fix OIDC token failure Apr 9, 2026
Copilot AI requested a review from kimocoder April 9, 2026 15:10
@kimocoder kimocoder marked this pull request as ready for review April 9, 2026 15:13
Copilot AI review requested due to automatic review settings April 9, 2026 15:13
@kimocoder kimocoder merged commit 80afc88 into master Apr 9, 2026
11 of 14 checks passed
Copilot AI reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Claude Code GitHub Actions workflow to avoid running in the pull_request event context where GitHub withholds OIDC token env vars, preventing anthropics/claude-code-action@v1 from failing on PR open/sync.

Changes:

  • Removed the pull_request trigger from .github/workflows/claude.yml.
  • Kept only comment-driven triggers (issue_comment and pull_request_review_comment) so the workflow runs in a trusted context compatible with OIDC.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@kimocoder kimocoder deleted the copilot/fix-oidc-token-fetch-failure branch April 24, 2026 20:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@kimocoder kimocoder Awaiting requested review from kimocoder

Assignees

@kimocoder kimocoder

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kimocoder