diff --git a/base-action/src/parse-sdk-options.ts b/base-action/src/parse-sdk-options.ts
index 35df281d2..274c4d290 100644
--- a/base-action/src/parse-sdk-options.ts
+++ b/base-action/src/parse-sdk-options.ts
@@ -209,6 +209,14 @@ export function parseSdkOptions(options: ClaudeOptions): ParsedSdkOptions {
 
   // Build custom environment
   const env: Record<string, string | undefined> = { ...process.env };
+
+  // Strip sensitive GitHub Actions OIDC and runtime token variables.
+  // These allow minting new OIDC tokens and should never be accessible
+  // to the Claude session. See: https://github.com/anthropics/claude-code-action/issues/1010
+  delete env.ACTIONS_ID_TOKEN_REQUEST_URL;
+  delete env.ACTIONS_ID_TOKEN_REQUEST_TOKEN;
+  delete env.ACTIONS_RUNTIME_TOKEN;
+
   if (process.env.INPUT_ACTION_INPUTS_PRESENT) {
     env.GITHUB_ACTION_INPUTS = process.env.INPUT_ACTION_INPUTS_PRESENT;
   }
diff --git a/base-action/test/parse-sdk-options.test.ts b/base-action/test/parse-sdk-options.test.ts
index 9c1095cef..9ae3b21d2 100644
--- a/base-action/test/parse-sdk-options.test.ts
+++ b/base-action/test/parse-sdk-options.test.ts
@@ -366,5 +366,28 @@ describe("parseSdkOptions", () => {
         "claude-code-github-action",
       );
     });
+
+    test("should strip OIDC token request env vars from sdkOptions.env", () => {
+      const originalEnv = { ...process.env };
+      process.env.ACTIONS_ID_TOKEN_REQUEST_URL =
+        "https://vstoken.actions.githubusercontent.com/.well-known/openid-configuration";
+      process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN = "secret-oidc-token";
+      process.env.ACTIONS_RUNTIME_TOKEN = "secret-runtime-token";
+
+      try {
+        const options: ClaudeOptions = {};
+        const result = parseSdkOptions(options);
+
+        expect(
+          result.sdkOptions.env?.ACTIONS_ID_TOKEN_REQUEST_URL,
+        ).toBeUndefined();
+        expect(
+          result.sdkOptions.env?.ACTIONS_ID_TOKEN_REQUEST_TOKEN,
+        ).toBeUndefined();
+        expect(result.sdkOptions.env?.ACTIONS_RUNTIME_TOKEN).toBeUndefined();
+      } finally {
+        process.env = originalEnv;
+      }
+    });
   });
 });