From 77acf22ca8aa0f3ad959dfe98325c5a2cc1daa0e Mon Sep 17 00:00:00 2001
From: Erik Marks <25517051+rekmarks@users.noreply.github.com>
Date: Fri, 20 Feb 2026 12:18:39 -0800
Subject: [PATCH] feat(ci): scope ANTHROPIC_API_KEY to claude-code environment

Adds `environment: claude-code` to the claude job so that the
ANTHROPIC_API_KEY secret can be scoped to a GitHub environment with
branch restrictions, adding defense-in-depth against secret exposure
on unreviewed feature branch workflows.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/claude.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
index 6b6fbd408..447065323 100644
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -12,6 +12,7 @@ on:
 
 jobs:
   claude:
+    environment: claude-code
     if: |
       (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
       (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||