From f37c786ad3fef8c6035fd753a86993fb7ce58211 Mon Sep 17 00:00:00 2001
From: chyipin <chyipin@gmail.com>
Date: Sat, 4 Apr 2026 23:13:05 -0400
Subject: [PATCH] Strip OIDC token request env vars from Claude session (#1011)

When id-token: write permission is enabled, ACTIONS_ID_TOKEN_REQUEST_URL
and ACTIONS_ID_TOKEN_REQUEST_TOKEN are passed to the Claude session via
the process.env spread in parseSdkOptions(). This allows Claude to mint
new OIDC tokens, which is an unintended capability.

This commit deletes these two variables from the env object before passing
it to the Claude SDK. The OIDC flow in token.ts reads directly from
process.env and runs before parseSdkOptions(), so it is unaffected.

Fixes #1010
---
 base-action/src/parse-sdk-options.ts       |  6 ++++++
 base-action/test/parse-sdk-options.test.ts | 21 +++++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/base-action/src/parse-sdk-options.ts b/base-action/src/parse-sdk-options.ts
index 35df281..5576117 100644
--- a/base-action/src/parse-sdk-options.ts
+++ b/base-action/src/parse-sdk-options.ts
@@ -215,6 +215,12 @@ export function parseSdkOptions(options: ClaudeOptions): ParsedSdkOptions {
   // Set the entrypoint for Claude Code to identify this as the GitHub Action
   env.CLAUDE_CODE_ENTRYPOINT = "claude-code-github-action";
 
+  // Remove OIDC token request variables so Claude cannot mint new tokens.
+  // These are only needed by the action itself (via @actions/core.getIDToken()),
+  // not by the Claude session.
+  delete env.ACTIONS_ID_TOKEN_REQUEST_URL;
+  delete env.ACTIONS_ID_TOKEN_REQUEST_TOKEN;
+
   // Build system prompt option - default to claude_code preset
   let systemPrompt: SdkOptions["systemPrompt"];
   if (options.systemPrompt) {
diff --git a/base-action/test/parse-sdk-options.test.ts b/base-action/test/parse-sdk-options.test.ts
index 9c1095c..e76e66c 100644
--- a/base-action/test/parse-sdk-options.test.ts
+++ b/base-action/test/parse-sdk-options.test.ts
@@ -366,5 +366,26 @@ describe("parseSdkOptions", () => {
         "claude-code-github-action",
       );
     });
+
+    test("should strip ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_ID_TOKEN_REQUEST_TOKEN from env", () => {
+      const originalEnv = { ...process.env };
+      process.env.ACTIONS_ID_TOKEN_REQUEST_URL =
+        "https://token.actions.githubusercontent.com";
+      process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN = "secret-token-value";
+
+      try {
+        const options: ClaudeOptions = {};
+        const result = parseSdkOptions(options);
+
+        expect(
+          result.sdkOptions.env?.ACTIONS_ID_TOKEN_REQUEST_URL,
+        ).toBeUndefined();
+        expect(
+          result.sdkOptions.env?.ACTIONS_ID_TOKEN_REQUEST_TOKEN,
+        ).toBeUndefined();
+      } finally {
+        process.env = originalEnv;
+      }
+    });
   });
 });