Skip to content

ci: bump anthropics/claude-code-action pin in maint-76-claude-code-review#329

Merged
stranske merged 1 commit intomainfrom
claude/dependabot-updates-counter-risk-jZ8vg
Mar 24, 2026
Merged

ci: bump anthropics/claude-code-action pin in maint-76-claude-code-review#329
stranske merged 1 commit intomainfrom
claude/dependabot-updates-counter-risk-jZ8vg

Conversation

@stranske
Copy link
Owner

@stranske stranske commented Mar 24, 2026
edited by stranske-keepalive bot
Loading

Source: Issue #328

Automated Status Summary

Scope

Bumps the actions-minor group with 2 updates: actions/cache and anthropics/claude-code-action.

Updates actions/cache from 5.0.3 to 5.0.4

Release notes

Sourced from actions/cache's releases.

v5.0.4

What's Changed

New Contributors

Full Changelog: actions/cache@v5...v5.0.4

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE]
Relevant for maintainers with write access only.

  1. Switch to a new branch from main.
  2. Run npm test to ensure all tests are passing.
  3. Update the version in https://github.com/actions/cache/blob/main/package.json.
  4. Run npm run build to update the compiled files.
  5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
  6. Run licensed cache to update the license report.
  7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
  8. Commit your changes and push your branch upstream.
  9. Open a pull request against main and get it reviewed and merged.
  10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
  11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

5.0.4

  • Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
  • Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
  • Bump fast-xml-parser to v5.5.6

5.0.3

5.0.2

  • Bump @actions/cache to v5.0.3 #1692

5.0.1

  • Update @azure/storage-blob to ^12.29.1 via @actions/cache@5.0.1 #1685

5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

... (truncated)

Commits

Updates anthropics/claude-code-action from 1.0.72 to 1.0.77

Release notes

Sourced from anthropics/claude-code-action's releases.

v1.0.77

Subprocess environment scrubbing for untrusted-input workflows

Workflows that configure allowed_non_write_users now automatically get CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1, which makes Claude Code (v2.1.79+) strip Anthropic and cloud provider credentials from the environment of subprocesses it spawns (Bash tool, hooks, MCP stdio servers). The parent Claude process keeps these vars for its own API calls — only child subprocess environments are scrubbed.

Why: Workflows that process untrusted input (issue triage, PR review from non-write users) are exposed to prompt injection. A malicious issue body could trick Claude into running a Bash command that reads $ANTHROPIC_API_KEY via shell expansion and leaks it through an observable side channel. Scrubbing the subprocess environment removes the read primitive entirely.

What's scrubbed: Anthropic auth tokens, cloud provider credentials, GitHub Actions OIDC and runtime tokens, OTEL auth headers.

What's kept: GITHUB_TOKEN / GH_TOKEN — so wrapper scripts can still call the GitHub API.

Opt out: Set CLAUDE_CODE_SUBPROCESS_ENV_SCRUB: "0" at the job or step level if your workflow legitimately needs a subprocess to inherit these credentials.

No action required for most users — if you've configured allowed_non_write_users, scrubbing is now on automatically. If your workflow breaks because a subprocess expected inherited credentials, re-inject them explicitly (e.g., via MCP server env: config) or use the opt-out.

What's Changed

Full Changelog: anthropics/claude-code-action@v1.0.76...v1.0.77

v1.0.76

Full Changelog: anthropics/claude-code-action@v1...v1.0.76

v1.0.75

Full Changelog: anthropics/claude-code-action@v1...v1.0.75

v1.0.74

What's Changed

Full Changelog: anthropics/claude-code-action@v1...v1.0.74

v1.0.73

Full Changelog: anthropics/claude-code-action@v1...v1.0.73

Commits
  • ff9acae Auto-set subprocess env scrub when allowed_non_write_users is configured (#1093)
  • 6062f37 chore: bump Claude Code to 2.1.81 and Agent SDK to 0.2.81
  • df37d2f chore: bump Claude Code to 2.1.79 and Agent SDK to 0.2.79
  • 1ba15be Remove redundant git status/diff/log from tag mode allowlist (#1075)
  • 9ddce40 Restore .claude/ and .mcp.json from PR base branch before CLI runs (#1066)
  • 1b422b3 chore: bump Claude Code to 2.1.78 and Agent SDK to 0.2.77
  • 4c044bb chore: bump Claude Code to 2.1.77 and Agent SDK to 0.2.77
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

Context for Agent

Related Issues/PRs

Tasks

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Acceptance criteria

  • Acceptance criteria section missing from source issue.

Head SHA: f852104
Latest Runs: ✅ success — Gate
Required: gate: ✅ success

Workflow / Job Result Logs
.github/workflows/autofix.yml ❌ failure View run
Agents PR Event Hub ⏭️ skipped View run
Agents PR Meta ❔ in progress View run
Copilot code review ✅ success View run
Dependabot Auto-merge ⏭️ skipped View run
Gate ✅ success View run
Health 45 Agents Guard ✅ success View run

@claude
ci: bump anthropics/claude-code-action to ff9acae5886d41a99ed4ec14b7d…
f852104 
…c147d55834722

From dependabot PR #328 — applying only the maint-76-claude-code-review.yml
change. The agents-auto-pilot.yml change is excluded as that file is managed
by the stranske/Workflows sync.

https://claude.ai/code/session_01D7662TN52iZPqh1HgAFBRQ
Copilot AI review requested due to automatic review settings March 24, 2026 20:42
Copilot AI reviewed Mar 24, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the pinned commit SHA for the Claude Code Review GitHub Action used by the opt-in Claude review workflow, aligning with the maint-76-claude-code-review.yml portion of dependabot PR #328 while avoiding changes to protected synced workflows.

Changes:

  • Bump anthropics/claude-code-action pin from cd77b50... to ff9acae... in the Claude review workflow.

@stranske-keepalive
Copy link
Contributor

stranske-keepalive bot commented Mar 24, 2026

🤖 Keepalive Loop Status

PR #329 | Agent: Codex | Iteration 0/5

Current State

Metric Value
Iteration progress [----------] 0/5
Action wait (missing-agent-label)
Disposition skipped (transient)
Gate success
Tasks 0/9 complete
Timeout 45 min (default)
Timeout usage 5m elapsed (12%, 40m remaining)
Keepalive ❌ disabled
Autofix ❌ disabled

🔍 Failure Classification

| Error type | infrastructure |
| Error category | resource |
| Suggested recovery | Confirm the referenced resource exists (repo, PR, branch, workflow, or file). |

@stranske-keepalive
Copy link
Contributor

stranske-keepalive bot commented Mar 24, 2026

Keepalive Work Log (click to expand)
# Time (UTC) Agent Action Result Files Tasks Progress Commit Gate
0 2026-03-24 20:48:09 Codex wait (missing-agent-label-transient) skipped 0 0/9 success

@stranske stranske merged commit 6dcf60d into main Mar 24, 2026
672 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@stranske @claude