fix(deps): update anthropics/claude-code-action action to v1.0.89

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Pending
anthropics/claude-code-action	action	patch	v1.0.33 → v1.0.89	v1.0.94 (+4)

---

Release Notes

anthropics/claude-code-action (anthropics/claude-code-action)

v1.0.89

Compare Source

What's Changed

• fix: skip token revocation when no token was acquired by @​Dave-London in #​918
• Use env vars for workflow_run context values in example workflows by @​ddworken in #​1125
• docs: document include/exclude_comments_by_actor inputs by @​yuribodo in #​1130
• fix: use correct fallback type for reviewData in fetcher by @​MaxwellCalkin in #​1034
• Strip OIDC token request env vars from Claude session by @​chyipin in #​1011
• fix: skip retries for non-retryable errors in retryWithBackoff by @​ei-grad in #​1082
• fix: restore ripgrep execute bits after bun install --production by @​qozle in #​1163
• fix: allow # in branch names for PR checkout and base restore by @​qozle in #​1167
• fix: prevent hang in restoreConfigFromBase on repos with .gitmodules by @​qozle in #​1166
• fix: strip shell comment lines before parsing claude_args by @​VoidChecksum in #​1055
• fix: snapshot PR's .claude/ to .claude-pr/ before security restore by @​qozle in #​1172
• chore: fix prettier formatting by @​ashwin-ant in #​1171
• chore: fix prettier formatting in parse-sdk-options.test.ts by @​ashwin-ant in #​1176
• fix: pin bun runtime config and improve log hygiene by @​ashwin-ant in #​1174

New Contributors

• @​yuribodo made their first contribution in #​1130
• @​MaxwellCalkin made their first contribution in #​1034
• @​chyipin made their first contribution in #​1011
• @​ei-grad made their first contribution in #​1082
• @​qozle made their first contribution in #​1163
• @​VoidChecksum made their first contribution in #​1055

Full Changelog: anthropics/claude-code-action@v1...v1.0.89

v1.0.88

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.88

v1.0.87

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.87

v1.0.86

Compare Source

What's Changed

• Fix subprocess isolation install step not running by @​OctavianGuzu in #​1148
• Pass env to execFileSync git calls by @​OctavianGuzu in #​1151

Full Changelog: anthropics/claude-code-action@v1...v1.0.86

v1.0.85

Compare Source

What's Changed

• fix: fall back to repo default_branch instead of hardcoded "main" by @​ashwin-ant in #​1143

Full Changelog: anthropics/claude-code-action@v1...v1.0.85

v1.0.84

Compare Source

What's Changed

• Pin Claude Code to 2.1.87 by @​ashwin-ant in #​1142

Full Changelog: anthropics/claude-code-action@v1...v1.0.84

v1.0.83

Compare Source

What's Changed

• Add subprocess isolation setup and git credential helper by @​OctavianGuzu in #​1132

Full Changelog: anthropics/claude-code-action@v1...v1.0.83

v1.0.82

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.82

v1.0.81

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.81

v1.0.80

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.80

v1.0.79

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.79

v1.0.78

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.78

v1.0.77

Compare Source

Subprocess environment scrubbing for untrusted-input workflows

Workflows that configure allowed_non_write_users now automatically get CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1, which makes Claude Code (v2.1.79+) strip Anthropic and cloud provider credentials from the environment of subprocesses it spawns (Bash tool, hooks, MCP stdio servers). The parent Claude process keeps these vars for its own API calls — only child subprocess environments are scrubbed.

Why: Workflows that process untrusted input (issue triage, PR review from non-write users) are exposed to prompt injection. A malicious issue body could trick Claude into running a Bash command that reads $ANTHROPIC_API_KEY via shell expansion and leaks it through an observable side channel. Scrubbing the subprocess environment removes the read primitive entirely.

What's scrubbed: Anthropic auth tokens, cloud provider credentials, GitHub Actions OIDC and runtime tokens, OTEL auth headers.

What's kept: GITHUB_TOKEN / GH_TOKEN — so wrapper scripts can still call the GitHub API.

Opt out: Set CLAUDE_CODE_SUBPROCESS_ENV_SCRUB: "0" at the job or step level if your workflow legitimately needs a subprocess to inherit these credentials.

No action required for most users — if you've configured allowed_non_write_users, scrubbing is now on automatically. If your workflow breaks because a subprocess expected inherited credentials, re-inject them explicitly (e.g., via MCP server env: config) or use the opt-out.

What's Changed

• Auto-set subprocess env scrub when allowed_non_write_users is configured by @​OctavianGuzu in #​1093

Full Changelog: anthropics/claude-code-action@v1.0.76...v1.0.77

v1.0.76

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.76

v1.0.75

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.75

v1.0.74

Compare Source

What's Changed

• Restore .claude/ and .mcp.json from PR base branch before CLI runs by @​km-anthropic in #​1066
• Remove redundant git status/diff/log from tag mode allowlist by @​ddworken in #​1075

Full Changelog: anthropics/claude-code-action@v1...v1.0.74

v1.0.73

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.73

v1.0.72

Compare Source

What's Changed

• Harden tag mode tool permissions against prompt injection by @​km-anthropic in #​1002

Full Changelog: anthropics/claude-code-action@v1...v1.0.72

v1.0.71

Compare Source

What's Changed

• docs: warn that allowed_bots can expose the action to external triggers by @​an-dustin in #​1039
• feat(inline-comment): add confirmed param + probe-pattern safety net by @​km-anthropic in #​1048

New Contributors

• @​an-dustin made their first contribution in #​1039

Full Changelog: anthropics/claude-code-action@v1...v1.0.71

v1.0.70

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.70

v1.0.69

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.69

v1.0.68

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.68

v1.0.67

Compare Source

What's Changed

• Improve gh.sh wrapper: stricter validation and better error messages by @​OctavianGuzu in #​996

Full Changelog: anthropics/claude-code-action@v1...v1.0.67

v1.0.66

Compare Source

What's Changed

• Only expose permission_denials count in sanitized output by @​ddworken in #​993

Full Changelog: anthropics/claude-code-action@v1...v1.0.66

v1.0.65

Compare Source

What's Changed

• Change the default display_report option to false to restrict exposed data by @​ddworken in #​992

Full Changelog: anthropics/claude-code-action@v1...v1.0.65

v1.0.64

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.64

v1.0.63

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.63

v1.0.62

Compare Source

What's Changed

• Add gh.sh wrapper for gh CLI commands in issue triage workflows by @​OctavianGuzu in #​975

Full Changelog: anthropics/claude-code-action@v1...v1.0.62

v1.0.61

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.61

v1.0.60

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.60

v1.0.59

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.59

v1.0.58

Compare Source

What's Changed

• Add non-write users check workflow by @​OctavianGuzu in #​973

Full Changelog: anthropics/claude-code-action@v1...v1.0.58

v1.0.57

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.57

v1.0.56

Compare Source

What's Changed

• Use wrapper script for label operations in issue triage by @​OctavianGuzu in #​968

Full Changelog: anthropics/claude-code-action@v1...v1.0.56

v1.0.55

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.55

v1.0.54

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.54

v1.0.53

Compare Source

What's Changed

• fix: grant write permissions and use @​main in claude workflow by @​ashwin-ant in #​950
• feat: add display_report option to disable step summary by @​ashwin-ant in #​952

Full Changelog: anthropics/claude-code-action@v1...v1.0.53

v1.0.52

Compare Source

What's Changed

• Fix stale claudeCodeVersion and update bump script to keep run.ts in sync by @​ashwin-ant in #​943
• fix: revert to colon-based wildcard syntax for git permissions by @​ashwin-ant in #​949

Full Changelog: anthropics/claude-code-action@v1...v1.0.52

v1.0.51

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.51

v1.0.50

Compare Source

What's Changed

• revert: undo PR checkout fork support and unique branch naming by @​ashwin-ant in #​937

Full Changelog: anthropics/claude-code-action@v1...v1.0.50

v1.0.49

Compare Source

What's Changed

• fix: replace deprecated :* with modern * wildcard in git permissions by @​Dave-London in #​929
• fix: skip CI MCP server installation when actions:read permission is missing by @​OctavianGuzu in #​933
• Fix/PR checkout branch name conflicts by @​kirisame-wang in #​931

New Contributors

• @​OctavianGuzu made their first contribution in #​933
• @​kirisame-wang made their first contribution in #​931

Full Changelog: anthropics/claude-code-action@v1...v1.0.49

v1.0.48

Compare Source

What's Changed

• Fix PR checkout to support fork PRs by @​Tsuesun in #​851

New Contributors

• @​Tsuesun made their first contribution in #​851

Full Changelog: anthropics/claude-code-action@v1...v1.0.48

v1.0.47

Compare Source

What's Changed

• Update claude-opus-4-5 to claude-opus-4-6 in workflow by @​ashwin-ant in #​909
• fix: skip dev dependencies in CI install step by @​Dave-London in #​919

New Contributors

• @​Dave-London made their first contribution in #​919

Full Changelog: anthropics/claude-code-action@v1...v1.0.47

v1.0.46

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.46

v1.0.45

Compare Source

What's Changed

• fix: use original body from webhook payload for TOCTOU hardening by @​ddworken in #​904
• refactor: simplify mode system by removing Mode interface and registry by @​ashwin-ant in #​899

Full Changelog: anthropics/claude-code-action@v1...v1.0.45

v1.0.44

Compare Source

What's Changed

• refactor: unify action into single composite step with run.ts entrypoint by @​ashwin-ant in #​898

Full Changelog: anthropics/claude-code-action@v1...v1.0.44

v1.0.43

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.43

v1.0.42

Compare Source

What's Changed

• fix: pass OpenTelemetry environment variables to Claude Code subprocess by @​csy1204 in #​886
• fix: pass GitHub token to setup-bun to avoid rate limits by @​peloyeje in #​861

New Contributors

• @​csy1204 made their first contribution in #​886
• @​peloyeje made their first contribution in #​861

Full Changelog: anthropics/claude-code-action@v1...v1.0.42

v1.0.41

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.41

v1.0.40

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.40

v1.0.39

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.39

v1.0.38

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.38

v1.0.37

Compare Source

What's Changed

• feat: add actor-based comment filtering to GitHub data fetching by @​ranyhb in #​812
• Revert "Revert "feat: send additional_permissions in token exchange request"" by @​ashwin-ant in #​866
• Revert "chore: bump Claude Code to 2.1.21 and Agent SDK to 0.2.21" by @​ashwin-ant in #​869

New Contributors

• @​ranyhb made their first contribution in #​812

Full Changelog: anthropics/claude-code-action@v1...v1.0.37

v1.0.36

Compare Source

What's Changed

• Revert "feat: send additional_permissions in token exchange request" by @​ashwin-ant in #​864

Full Changelog: anthropics/claude-code-action@v1...v1.0.36

v1.0.35

Compare Source

What's Changed

• feat: send additional_permissions in token exchange request by @​ashwin-ant in #​859
• chore: upgrade checkout-action to v6 by @​arthur-mountain in #​862

New Contributors

• @​arthur-mountain made their first contribution in #​862

Full Changelog: anthropics/claude-code-action@v1...v1.0.35

v1.0.34

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.34

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

This is a patch update from v1.0.33 to v1.0.89 of the anthropics/claude-code-action base action, spanning 56 versions with 106 commits. The update includes primarily bug fixes, security improvements, and feature enhancements:

Key Changes:

• Security Enhancements:

  • Subprocess environment scrubbing for untrusted-input workflows (v1.0.77) - automatically strips credentials from child processes when allowed_non_write_users is configured
  • Restoration of .claude/ and .mcp.json from PR base branch before CLI runs (v1.0.74) to prevent malicious config injection
  • Tool permission hardening against prompt injection for tag mode (v1.0.72)
  • Added gh.sh wrapper for secure GitHub CLI command validation (v1.0.62, v1.0.67)
  • Comment filtering by actor to reduce prompt injection surface (v1.0.37)

• Bug Fixes:

  • Fixed token revocation when no token was acquired (v1.0.89)
  • Restored ripgrep execute bits after production install (v1.0.89)
  • Fixed branch names with # character handling (v1.0.89)
  • Prevented hang in restoreConfigFromBase on repos with .gitmodules (v1.0.89)
  • Fixed snapshot of PR's .claude/ to .claude-pr/ before security restore (v1.0.89)
  • Fixed fallback to repo default_branch instead of hardcoded "main" (v1.0.85)
  • PR checkout now supports fork PRs (v1.0.48-v1.0.49, reverted in v1.0.50)
  • Fixed retry logic for non-retryable errors (v1.0.89)

• Features:

  • Added display_report option to disable step summary (v1.0.53)
  • Actor-based comment filtering support (include_comments_by_actor/exclude_comments_by_actor) (v1.0.37, documented in v1.0.89)
  • Subprocess isolation setup and git credential helper (v1.0.83)
  • Added non-write users check workflow (v1.0.58)

• Infrastructure:

  • Unified action into single composite step with run.ts entrypoint (v1.0.44)
  • Simplified mode system (v1.0.45)
  • Pinned Bun runtime config and improved log hygiene (v1.0.89)
  • Upgraded to actions/checkout@v6 (v1.0.35)

No Breaking Changes Identified: All changes are backward-compatible improvements and bug fixes. The base-action API remains stable with the same inputs (anthropic_api_key, claude_code_oauth_token, claude_args, settings) used in this repository.

🎯 Impact Scope Investigation

Usage Analysis:

• This action uses anthropics/claude-code-action/base-action at a single location: action.yml:109
• The action is invoked with the following inputs that remain compatible:
  • anthropic_api_key: Still supported
  • claude_code_oauth_token: Still supported
  • claude_args: Still supported (used for --allowedTools and --json-schema)
  • settings: Still supported

Current Usage Pattern:

- uses: anthropics/claude-code-action/base-action@<commit-hash>
  with:
    anthropic_api_key: ${{ inputs.anthropic-api-key }}
    claude_code_oauth_token: ${{ inputs.claude-code-oauth-token }}
    claude_args: "--allowedTools ... --json-schema ..."
    settings: ${{ inputs.claude-code-settings }}

This usage pattern is fully compatible with v1.0.89. The update only changes the commit hash reference.

Dependencies:

• No transitive dependency impacts detected
• The action's own dependencies (GitHub CLI, Bun, Node.js) are managed by the base action
• No configuration file changes required

Security Improvements Benefit:
The security enhancements in this update actually improve the safety posture of this action when processing Renovate PRs, as it includes better isolation and protection against prompt injection attacks.

💡 Recommended Actions

Immediate Actions:

• ✅ Merge this PR - The update is safe and backward-compatible
• ✅ All existing functionality will continue to work without modification
• ✅ No code changes required in this repository

Optional Future Enhancements:

• Consider reviewing the new display_report input (added in v1.0.53) if you want to control step summary visibility
• The actor-based comment filtering feature is now documented and could be useful for future use cases

No Migration Steps Required

🔗 Reference Links

• v1.0.89 Release Notes
• Full Changelog v1.0.33...v1.0.89
• anthropics/claude-code-action Repository

Generated by koki-develop/claude-renovate-review