NO-JIRA: test Claude Code WIF auth in GitHub Actions

[bryan-cox]

Summary

• Adds a test workflow to validate Claude Code authentication via GCP Workload Identity Federation (WIF)
• Uses the shared IT WIF provider (itpc-identity-pool) instead of service account keys
• Reference PR for teams wanting to run Claude Code in GitHub Actions without managing secrets

How it works

1. GitHub Actions mints an OIDC token
2. google-github-actions/auth@v2 exchanges it with GCP's WIF pool for temporary credentials
3. Claude Code picks up the credentials via Application Default Credentials (ADC)

Prerequisites

• openshift org must be in the WIF provider's repository_owner allowlist
• roles/aiplatform.user granted to the principalSet on the target GCP project

Test plan

• Trigger workflow manually via Actions tab
• Verify WIF authentication succeeds
• Verify Claude Code responds via Vertex AI

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Added an automated CI workflow that validates tooling and integration on pull requests or via manual trigger.
  • CI now installs the assistant CLI, performs a version check, and runs a one-turn runtime validation using cloud-enabled execution to ensure assistant interactions and cloud execution paths function correctly.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@bryan-cox: This pull request explicitly references no jira issue.

Details

In response to this:

Summary

• Adds a test workflow to validate Claude Code authentication via GCP Workload Identity Federation (WIF)
• Uses the shared IT WIF provider (itpc-identity-pool) instead of service account keys
• Reference PR for teams wanting to run Claude Code in GitHub Actions without managing secrets

How it works

1. GitHub Actions mints an OIDC token
2. google-github-actions/auth@v2 exchanges it with GCP's WIF pool for temporary credentials
3. Claude Code picks up the credentials via Application Default Credentials (ADC)

Prerequisites

• openshift org must be in the WIF provider's repository_owner allowlist
• roles/aiplatform.user granted to the principalSet on the target GCP project

Test plan

• Trigger workflow manually via Actions tab
• Verify WIF authentication succeeds
• Verify Claude Code responds via Vertex AI

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a new GitHub Actions workflow (claude-wif-test.yaml) that triggers on changes to that workflow file and via manual dispatch. The workflow grants OIDC permissions, then runs a job which checks out the repo, authenticates to GCP using Workload Identity Federation via google-github-actions/auth@v2, installs Claude Code, sets Vertex-related environment variables, and runs claude --version plus a single-turn prompt.

sequenceDiagram
  participant GitHub as GitHub Actions
  participant Runner as Actions Runner
  participant Auth as google-github-actions/auth@v2
  participant GCP as GCP Workload Identity Provider
  participant Installer as Claude install script
  participant Claude as Claude CLI
  participant Vertex as Vertex AI
  GitHub->>Runner: trigger (pull_request or workflow_dispatch)
  Runner->>Auth: request id-token (OIDC)
  Auth->>GCP: exchange token for service account credentials
  Runner->>Installer: install Claude Code
  Runner->>Claude: run `claude --version` and prompt (Vertex envs)
  Claude->>Vertex: call Vertex AI (when enabled)

Loading

Sequence Diagram(s)

sequenceDiagram
  participant GitHub as GitHub Actions
  participant Runner as Actions Runner
  participant Checkout as actions/checkout
  participant Auth as google-github-actions/auth@v2
  participant GCP as GCP Workload Identity Provider
  participant Installer as Claude install script
  participant Claude as Claude CLI
  participant Vertex as Vertex AI
  GitHub->>Runner: trigger (pull_request_target or workflow_dispatch)
  Runner->>Checkout: checkout PR head SHA
  Runner->>Auth: request id-token (OIDC)
  Auth->>GCP: exchange id-token for service account credentials
  Runner->>Installer: install Claude Code
  Runner->>Claude: run `claude --version` and prompt (with Vertex envs)
  Claude->>Vertex: call Vertex AI (when enabled)

Loading

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding a test for Claude Code WIF authentication in GitHub Actions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR adds only a GitHub Actions workflow file (.github/workflows/claude-wif-test.yaml), not Go test code. The check applies to Ginkgo test names in Go code, which are absent from this PR.
Test Structure And Quality	✅ Passed	PR adds only a GitHub Actions workflow file (.github/workflows/claude-wif-test.yaml), not Ginkgo test code; custom check for Ginkgo test quality is not applicable.
Microshift Test Compatibility	✅ Passed	PR adds only a GitHub Actions workflow file, not Ginkgo e2e tests. The MicroShift Test Compatibility check applies only to new Ginkgo tests, making it not applicable here.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds only a GitHub Actions workflow file (.github/workflows/claude-wif-test.yaml), not Ginkgo e2e tests. SNO test compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds a GitHub Actions CI/CD workflow file. The check applies to Kubernetes deployment manifests, operator, or controller code—not CI/CD workflows with no scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	PR adds only a GitHub Actions workflow YAML file, not a Go test binary, so the OTE Binary Stdout Contract check does not apply.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds only .github/workflows/claude-wif-test.yaml, a GitHub Actions workflow configuration file, not Ginkgo e2e tests. The check is not applicable to non-test CI/CD configurations.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bryan-cox]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/claude-wif-test.yaml (1)

16-16: ⚡ Quick win

Pin action to SHA and disable credential persistence.

Static analysis flags two issues:

1. Action is pinned to a version tag (v4) rather than a commit SHA, which is a supply chain risk
2. Missing persist-credentials: false to prevent credential leakage

🔒 Suggested fix

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/claude-wif-test.yaml at line 16, Replace the unpinned
checkout action and enable non-persistent credentials: change the "uses:
actions/checkout@v4" reference to a fixed commit SHA (e.g., "uses:
actions/checkout@<commit-sha>") and add a with: block containing
"persist-credentials: false" (so the checkout step uses the SHA and includes
persist-credentials: false) to prevent credential leakage.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/claude-wif-test.yaml:
- Around line 19-22: Replace the unpinned GitHub Action reference
"google-github-actions/auth@v2" with the specific commit SHA
"google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed" so the
workload identity federation auth step is pinned to the exact commit; update the
uses entry accordingly where "google-github-actions/auth@v2" appears.

---

Nitpick comments:
In @.github/workflows/claude-wif-test.yaml:
- Line 16: Replace the unpinned checkout action and enable non-persistent
credentials: change the "uses: actions/checkout@v4" reference to a fixed commit
SHA (e.g., "uses: actions/checkout@<commit-sha>") and add a with: block
containing "persist-credentials: false" (so the checkout step uses the SHA and
includes persist-credentials: false) to prevent credential leakage.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e91777cc-8038-4135-9ea0-4f7186a9f32d

📥 Commits

Reviewing files that changed from the base of the PR and between 962cdbb and e974788.

📒 Files selected for processing (2)

• .github/workflows/claude-wif-test.yaml
• hack/github-actions-runner/README.md

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 40.53%. Comparing base (b39a15b) to head (3da80c4).
⚠️ Report is 49 commits behind head on main.

⚠️ Current head 3da80c4 differs from pull request most recent head c431e17

Please upload reports for the commit c431e17 to get more accurate results.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8588      +/-   ##
==========================================
+ Coverage   40.41%   40.53%   +0.12%     
==========================================
  Files         755      755              
  Lines       93235    93235              
==========================================
+ Hits        37679    37794     +115     
+ Misses      52854    52740     -114     
+ Partials     2702     2701       -1     

see 3 files with indirect coverage changes

Flag	Coverage Δ
cmd-support	34.45% <ø> (+<0.01%)	⬆️
cpo-hostedcontrolplane	41.76% <ø> (ø)
cpo-other	41.23% <ø> (+0.91%)	⬆️
hypershift-operator	50.72% <ø> (ø)
other	31.58% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/claude-wif-test.yaml:
- Line 16: Update the checkout step that uses
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 to disable credential
persistence by adding persist-credentials: false to that step; locate the
checkout usage (the line with "uses:
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5") and add the
persist-credentials: false key under it so the GITHUB_TOKEN is not written to
local git config after checkout.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 914228fc-0f08-4a25-adb7-1c6402ce1fc6

📥 Commits

Reviewing files that changed from the base of the PR and between e974788 and 690af6c.

📒 Files selected for processing (1)

• .github/workflows/claude-wif-test.yaml

[hypershift-jira-solve-ci]

I have all the evidence needed. Here is the analysis:

Test Failure Analysis Complete

Job Information

• Prow Job: GitHub Actions workflow "Test Claude Code WIF Auth" / job test-wif
• Build ID: 26464390671 / job 77920633974
• PR: NO-JIRA: test Claude Code WIF auth in GitHub Actions #8588 (NO-JIRA: test Claude Code WIF auth in GitHub Actions)
• Branch: test-arc-runners (from fork bryan-cox/hypershift)
• Failed Step: "Authenticate to GCP via WIF" (step 3)
• Duration: 13 seconds (17:31:07 – 17:31:20 UTC)

Test Failure Analysis

Error

google-github-actions/auth failed with: gitHub Actions did not inject
$ACTIONS_ID_TOKEN_REQUEST_TOKEN or $ACTIONS_ID_TOKEN_REQUEST_URL into this job.
This most likely means the GitHub Actions workflow permissions are incorrect,
or this job is being run from a fork.

Summary

The GCP Workload Identity Federation (WIF) authentication step failed because GitHub Actions refuses to issue OIDC identity tokens for workflows triggered by pull_request events from forked repositories. The PR originates from bryan-cox/hypershift (a fork) targeting openshift/hypershift, so GitHub's security policy blocks the id-token: write permission even though the workflow file correctly declares it. This is a GitHub-enforced security boundary — not a misconfiguration — designed to prevent forks from obtaining credentials that could access the upstream repository's cloud resources.

Root Cause

GitHub Actions security policy for fork PRs blocks OIDC token issuance.

The workflow at .github/workflows/claude-wif-test.yaml correctly declares permissions: id-token: write at the top level and uses google-github-actions/auth@v2 with Workload Identity Federation. However, the pull_request event trigger has a hard security constraint:

1. The PR is from a fork: bryan-cox/hypershift → openshift/hypershift (confirmed: head_repo_fork: true).
2. GitHub does not inject OIDC tokens for fork PRs: When a pull_request event fires from a fork, GitHub intentionally does NOT populate $ACTIONS_ID_TOKEN_REQUEST_TOKEN or $ACTIONS_ID_TOKEN_REQUEST_URL, regardless of the permissions block in the workflow file. This is a security measure to prevent forks from impersonating the upstream repository's identity and gaining access to its cloud resources (GCP, AWS, etc.).
3. The google-github-actions/auth action detects this: It checks for those environment variables, finds them missing, and fails with the observed error.

This is not a workflow misconfiguration. The permissions block and WIF provider settings are correct. The issue is that the chosen trigger event (pull_request) is fundamentally incompatible with OIDC-based authentication when the PR comes from a fork.

Recommendations

1. Use pull_request_target instead of pull_request — This trigger runs in the context of the base repository (openshift/hypershift), which does have access to OIDC tokens. ⚠️ Security warning: pull_request_target runs the workflow from the base branch, not the PR branch, but has access to repository secrets and OIDC. If you use actions/checkout to check out the PR's code (ref: ${{ github.event.pull_request.head.sha }}), ensure you do NOT execute arbitrary code from the PR before authentication, as this creates a code injection risk.

2. Use workflow_dispatch for manual testing — The workflow already has workflow_dispatch as a trigger. Running the workflow manually from the main branch (or any branch in the upstream repo) will work correctly since it's not a fork context. This is the safest immediate option for validating the WIF setup.

3. Merge the workflow first, then test — Since this is a new workflow file, merge it to main first (the WIF step will be skipped/untested), then trigger it via workflow_dispatch or a same-repo PR to validate the authentication works.

4. Restrict the WIF provider's subject condition — Ensure the GCP WIF provider's attribute condition includes a check like assertion.repository == "openshift/hypershift" so that even if tokens were somehow issued from a fork, they would be rejected by GCP.

Evidence

Evidence	Detail
Error message	gitHub Actions did not inject $ACTIONS_ID_TOKEN_REQUEST_TOKEN or $ACTIONS_ID_TOKEN_REQUEST_URL into this job
PR source	Fork: bryan-cox/hypershift → openshift/hypershift (head_repo_fork: true)
Trigger event	pull_request (from fork — OIDC tokens blocked by GitHub security policy)
Workflow permissions	id-token: write declared correctly at top level
WIF provider	projects/21066242673/locations/global/workloadIdentityPools/itpc-identity-pool/providers/github-com
GCP project	itpc-gcp-hybrid-pe-eng-claude
Failed step	Step 3: "Authenticate to GCP via WIF" (google-github-actions/auth@v2)
Skipped steps	Steps 4–5 ("Install Claude Code", "Test Claude Code") skipped due to step 3 failure
Workflow file	.github/workflows/claude-wif-test.yaml (new file added in this PR)
GitHub docs	OIDC tokens are not available for fork PRs

---

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/claude-wif-test.yaml (1)

16-16: ⚡ Quick win

Drop checkout unless a later step actually needs repo files.

Nothing in this job reads the repository, so checking out the PR just widens the workspace trust boundary before the credentialed steps run.

✂️ Minimal change

-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/claude-wif-test.yaml at line 16, The workflow currently
runs a uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 step even
though no later step in this job needs repository files; remove that uses:
actions/checkout... step from the job (or gate it behind a conditional if you
later add repo-dependent steps) so the job does not unnecessarily checkout the
repo and widen the workspace trust boundary.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/claude-wif-test.yaml:
- Around line 25-28: The "Install Claude Code" step currently pipes an unpinned
installer (curl | sh) which runs after WIF auth; change it to either (A)
download a specific pinned release of the Claude installer/binary and validate
its SHA256 from Anthropic's signed manifest.json (and verify the manifest
signature with GPG) before extracting/installing, or (B) move the "Install
Claude Code" step to run before the WIF auth step so the installer runs without
provisioned credentials; update the step named "Install Claude Code" and any
related environment/path handling (echo "$HOME/.local/bin" >> $GITHUB_PATH)
accordingly and ensure the workflow fails if signature/checksum verification
does not pass.
- Around line 2-6: Workflow currently triggers credentialed flows on
pull_request (on: pull_request) which can expose WIF/OIDC tokens; change the
trigger to manual-only (remove or disable on: pull_request and keep
workflow_dispatch) or add a guard at job level (e.g., require github.event_name
== 'workflow_dispatch' and exclude forked PRs by checking
github.event.pull_request.head.repo.full_name == github.repository) so no OIDC
token is minted for untrusted runs; additionally, when creating the GCP Workload
Identity Federation trust, constrain the allowed assertion.sub to the
workflow_dispatch-style subject (and optionally repository_owner) so
pull_request-shaped subjects are rejected; and if the workflow downloads and
runs remote installers (curl ... | sh), pin the artifact to a specific digest
and verify signatures before executing to reduce supply-chain risk.

---

Nitpick comments:
In @.github/workflows/claude-wif-test.yaml:
- Line 16: The workflow currently runs a uses:
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 step even though no
later step in this job needs repository files; remove that uses:
actions/checkout... step from the job (or gate it behind a conditional if you
later add repo-dependent steps) so the job does not unnecessarily checkout the
repo and widen the workspace trust boundary.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 10c1fe6e-dac4-40d4-9638-f87022abdd59

📥 Commits

Reviewing files that changed from the base of the PR and between 690af6c and 3d3a94c.

📒 Files selected for processing (1)

• .github/workflows/claude-wif-test.yaml

[openshift-ci]

@bryan-cox: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[enxebre]

/lgtm

[openshift-merge-bot]

Pipeline controller notification

No second-stage tests were triggered for this PR.

This can happen when:

• The changed files don't match any pipeline_run_if_changed patterns
• All files match pipeline_skip_if_only_changed patterns
• No pipeline-controlled jobs are defined for the main branch

Use /test ? to see all available tests.

[bryan-cox]

/verified bypass

[openshift-ci-robot]

@bryan-cox: The verified label has been added.

Details

In response to this:

/verified bypass

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[bryan-cox]

/test-wif