Skip to content

Comments

chore(ci): scope ANTHROPIC_API_KEY to claude-code environment#847

Open
rekmarks wants to merge 1 commit intomainfrom
rekm/claude-code-env
Open

chore(ci): scope ANTHROPIC_API_KEY to claude-code environment#847
rekmarks wants to merge 1 commit intomainfrom
rekm/claude-code-env

Conversation

@rekmarks
Copy link
Member

@rekmarks rekmarks commented Feb 20, 2026

Scopes the ANTHROPIC_API_KEY secret to a GitHub environment (claude-code) with branch restrictions, adding defense-in-depth against secret exposure from unreviewed feature branch workflows.

Changes

  • Added environment: claude-code to the claude job in .github/workflows/claude.yml

Manual steps required (not automated)

After merging, complete the GitHub settings:

  1. Create the environment: Settings → Environments → New environment → name it claude-code
  2. Restrict to main: Deployment branches and tags → Selected branches and tags → add pattern main
  3. Move the secret: Add ANTHROPIC_API_KEY under the new environment's secrets, then delete the repo-level secret from Settings → Secrets and variables → Actions

Testing

The change is verified by confirming that @claude comments on PRs/issues continue to work after the GitHub settings steps are completed. The issue_comment/pull_request_review_comment event types already run from the default branch, so existing behavior is unchanged.

🤖 Generated with Claude Code


Note

Low Risk
Single-line CI workflow change; main risk is misconfigured GitHub environment/secrets causing the Claude job to lose access to ANTHROPIC_API_KEY.

Overview
Scopes the claude GitHub Actions job to run in the claude-code environment by adding environment: claude-code to .github/workflows/claude.yml, enabling environment-level secret/branch restrictions for ANTHROPIC_API_KEY.

Written by Cursor Bugbot for commit 77acf22. This will update automatically on new commits. Configure here.

Adds `environment: claude-code` to the claude job so that the
ANTHROPIC_API_KEY secret can be scoped to a GitHub environment with
branch restrictions, adding defense-in-depth against secret exposure
on unreviewed feature branch workflows.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@rekmarks rekmarks requested a review from a team as a code owner February 20, 2026 20:19
@rekmarks rekmarks changed the title feat(ci): scope ANTHROPIC_API_KEY to claude-code environment chore(ci): scope ANTHROPIC_API_KEY to claude-code environment Feb 20, 2026
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

@github-actions
Copy link
Contributor

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 75.98%
⬆️ +0.08%
6550 / 8620
🔵 Statements 75.87%
⬆️ +0.08%
6655 / 8771
🔵 Functions 73.79%
🟰 ±0%
1639 / 2221
🔵 Branches 75.35%
⬆️ +0.18%
2416 / 3206
File CoverageNo changed files found.
Generated in workflow #3788 for commit 77acf22 by the Vitest Coverage Report Action

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant