From 7af0f54bf03e92278b750145445fc0bee7b6190d Mon Sep 17 00:00:00 2001
From: Maxwell Calkin <MaxwellCalkin@gmail.com>
Date: Sun, 8 Mar 2026 07:52:04 -0400
Subject: [PATCH] Strip OIDC token request env vars from Claude session
 environment

The Claude session inherits the full process.env, which includes
ACTIONS_ID_TOKEN_REQUEST_URL, ACTIONS_ID_TOKEN_REQUEST_TOKEN, and
ACTIONS_RUNTIME_TOKEN when the workflow has `id-token: write` permission.

This allows the Claude session to call GitHub's OIDC token endpoint and
mint arbitrary tokens, escalating privileges beyond what was intended.

These variables are only needed by the action itself (in token.ts for
initial authentication) and should never be passed to the Claude SDK
session.

Fixes #1010
---
 base-action/src/parse-sdk-options.ts       |  8 ++++++++
 base-action/test/parse-sdk-options.test.ts | 23 ++++++++++++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/base-action/src/parse-sdk-options.ts b/base-action/src/parse-sdk-options.ts
index 35df281d2..274c4d290 100644
--- a/base-action/src/parse-sdk-options.ts
+++ b/base-action/src/parse-sdk-options.ts
@@ -209,6 +209,14 @@ export function parseSdkOptions(options: ClaudeOptions): ParsedSdkOptions {
 
   // Build custom environment
   const env: Record<string, string | undefined> = { ...process.env };
+
+  // Strip sensitive GitHub Actions OIDC and runtime token variables.
+  // These allow minting new OIDC tokens and should never be accessible
+  // to the Claude session. See: https://github.com/anthropics/claude-code-action/issues/1010
+  delete env.ACTIONS_ID_TOKEN_REQUEST_URL;
+  delete env.ACTIONS_ID_TOKEN_REQUEST_TOKEN;
+  delete env.ACTIONS_RUNTIME_TOKEN;
+
   if (process.env.INPUT_ACTION_INPUTS_PRESENT) {
     env.GITHUB_ACTION_INPUTS = process.env.INPUT_ACTION_INPUTS_PRESENT;
   }
diff --git a/base-action/test/parse-sdk-options.test.ts b/base-action/test/parse-sdk-options.test.ts
index 9c1095cef..9ae3b21d2 100644
--- a/base-action/test/parse-sdk-options.test.ts
+++ b/base-action/test/parse-sdk-options.test.ts
@@ -366,5 +366,28 @@ describe("parseSdkOptions", () => {
         "claude-code-github-action",
       );
     });
+
+    test("should strip OIDC token request env vars from sdkOptions.env", () => {
+      const originalEnv = { ...process.env };
+      process.env.ACTIONS_ID_TOKEN_REQUEST_URL =
+        "https://vstoken.actions.githubusercontent.com/.well-known/openid-configuration";
+      process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN = "secret-oidc-token";
+      process.env.ACTIONS_RUNTIME_TOKEN = "secret-runtime-token";
+
+      try {
+        const options: ClaudeOptions = {};
+        const result = parseSdkOptions(options);
+
+        expect(
+          result.sdkOptions.env?.ACTIONS_ID_TOKEN_REQUEST_URL,
+        ).toBeUndefined();
+        expect(
+          result.sdkOptions.env?.ACTIONS_ID_TOKEN_REQUEST_TOKEN,
+        ).toBeUndefined();
+        expect(result.sdkOptions.env?.ACTIONS_RUNTIME_TOKEN).toBeUndefined();
+      } finally {
+        process.env = originalEnv;
+      }
+    });
   });
 });