Skip to content

Bump anthropics/claude-code-action from 1.0.54 to 1.0.79#14

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/anthropics/claude-code-action-1.0.79
Open

Bump anthropics/claude-code-action from 1.0.54 to 1.0.79#14
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/anthropics/claude-code-action-1.0.79

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 26, 2026

Bumps anthropics/claude-code-action from 1.0.54 to 1.0.79.

Release notes

Sourced from anthropics/claude-code-action's releases.

v1.0.79

Full Changelog: anthropics/claude-code-action@v1...v1.0.79

v1.0.78

Full Changelog: anthropics/claude-code-action@v1...v1.0.78

v1.0.77

Subprocess environment scrubbing for untrusted-input workflows

Workflows that configure allowed_non_write_users now automatically get CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1, which makes Claude Code (v2.1.79+) strip Anthropic and cloud provider credentials from the environment of subprocesses it spawns (Bash tool, hooks, MCP stdio servers). The parent Claude process keeps these vars for its own API calls — only child subprocess environments are scrubbed.

Why: Workflows that process untrusted input (issue triage, PR review from non-write users) are exposed to prompt injection. A malicious issue body could trick Claude into running a Bash command that reads $ANTHROPIC_API_KEY via shell expansion and leaks it through an observable side channel. Scrubbing the subprocess environment removes the read primitive entirely.

What's scrubbed: Anthropic auth tokens, cloud provider credentials, GitHub Actions OIDC and runtime tokens, OTEL auth headers.

What's kept: GITHUB_TOKEN / GH_TOKEN — so wrapper scripts can still call the GitHub API.

Opt out: Set CLAUDE_CODE_SUBPROCESS_ENV_SCRUB: "0" at the job or step level if your workflow legitimately needs a subprocess to inherit these credentials.

No action required for most users — if you've configured allowed_non_write_users, scrubbing is now on automatically. If your workflow breaks because a subprocess expected inherited credentials, re-inject them explicitly (e.g., via MCP server env: config) or use the opt-out.

What's Changed

Full Changelog: anthropics/claude-code-action@v1.0.76...v1.0.77

v1.0.76

Full Changelog: anthropics/claude-code-action@v1...v1.0.76

v1.0.75

Full Changelog: anthropics/claude-code-action@v1...v1.0.75

v1.0.74

What's Changed

Full Changelog: anthropics/claude-code-action@v1...v1.0.74

v1.0.73

Full Changelog: anthropics/claude-code-action@v1...v1.0.73

v1.0.72

What's Changed

Full Changelog: anthropics/claude-code-action@v1...v1.0.72

... (truncated)

Commits
  • 3ac52d0 chore: bump Claude Code to 2.1.84 and Agent SDK to 0.2.84
  • 0ee1bee chore: bump Claude Code to 2.1.83 and Agent SDK to 0.2.83
  • ff9acae Auto-set subprocess env scrub when allowed_non_write_users is configured (#1093)
  • 6062f37 chore: bump Claude Code to 2.1.81 and Agent SDK to 0.2.81
  • df37d2f chore: bump Claude Code to 2.1.79 and Agent SDK to 0.2.79
  • 1ba15be Remove redundant git status/diff/log from tag mode allowlist (#1075)
  • 9ddce40 Restore .claude/ and .mcp.json from PR base branch before CLI runs (#1066)
  • 1b422b3 chore: bump Claude Code to 2.1.78 and Agent SDK to 0.2.77
  • 4c044bb chore: bump Claude Code to 2.1.77 and Agent SDK to 0.2.77
  • cd77b50 chore: bump Claude Code to 2.1.76 and Agent SDK to 0.2.76
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump anthropics/claude-code-action from 1.0.54 to 1.0.79
b1351a0 
Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.54 to 1.0.79.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@0cf5eee...3ac52d0)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.79
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Mar 26, 2026
@dependabot dependabot bot mentioned this pull request Mar 26, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants