From c95e735eb1465b47ba61af98accc1df72b3c6fa4 Mon Sep 17 00:00:00 2001
From: Octavian Guzu <oct@anthropic.com>
Date: Thu, 2 Apr 2026 14:05:08 +0100
Subject: [PATCH] Fix subprocess isolation install step never running (#1148)

env context isn't available in composite-action if: conditions.
Move opt-out check into run: body.

:house: Remote-Dev: homespace
---
 action.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/action.yml b/action.yml
index 41db76a..46a83fb 100644
--- a/action.yml
+++ b/action.yml
@@ -198,10 +198,14 @@ runs:
     - name: Install subprocess isolation dependencies
       # Install subprocess isolation dependencies when processing content from non-write users.
       # Best-effort: skips on non-Linux or when sudo/apt unavailable (self-hosted runners).
-      if: ${{ inputs.allowed_non_write_users != '' && env.CLAUDE_CODE_SUBPROCESS_ENV_SCRUB != '0' && runner.os == 'Linux' }}
+      if: ${{ inputs.allowed_non_write_users != '' && runner.os == 'Linux' }}
       continue-on-error: true
       shell: bash
       run: |
+        if [ "${CLAUDE_CODE_SUBPROCESS_ENV_SCRUB:-}" = "0" ]; then
+          echo "Subprocess isolation opted out via CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=0"
+          exit 0
+        fi
         if command -v apt-get >/dev/null && command -v sudo >/dev/null; then
           for i in 1 2 3; do
             sudo apt-get update -qq && sudo apt-get install -y --no-install-recommends bubblewrap socat && break