OIDC token exchange rejects pull_request_target events

[danielorbach]

Describe the bug
The action code supports pull_request_target events (added in PR #759, issue #347), but the Anthropic OIDC token exchange endpoint (https://api.anthropic.com/api/github/github-app-token-exchange) rejects OIDC tokens from pull_request_target triggers with "Invalid OIDC token" error.

To Reproduce

1. Create a workflow with pull_request_target trigger
2. Ensure proper permissions (id-token: write, contents: read, pull-requests: write)
3. Open a PR to trigger the workflow
4. See error: Error: Failed to setup GitHub token: Error: Invalid OIDC token

Expected behavior
The OIDC token exchange should succeed for pull_request_target events, just as it does for pull_request events.

Screenshots

• Working (pull_request): https://github.com/danielorbach/go-component/actions/runs/19872285394/job/56950900231?pr=20
• Failing (pull_request_target): https://github.com/danielorbach/go-component/actions/runs/19871734880

Workflow yml file

on:
  pull_request_target:
    types: [opened, synchronize]
    paths:
      - '.github/workflows/**'

permissions:
  id-token: write
  contents: read
  pull-requests: write

jobs:
  review:
    if: github.actor == 'dependabot[bot]'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: anthropics/claude-code-action@v1
        with:
          prompt: "Review this PR"
          allowed_bots: "dependabot[bot]"
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}

API Provider

• Anthropic First-Party API (default)
• AWS Bedrock
• GCP Vertex

Additional context
This is in the context of reviewing Dependabot PRs that modify workflow files. Using pull_request_target is necessary because:

1. When Dependabot updates workflow files, using pull_request would run the modified (untrusted) workflow
2. pull_request_target runs the trusted workflow from the base branch

Security-wise, forks are not relevant in this use case because the workflow is guarded with github.actor == 'dependabot[bot]', ensuring only Dependabot can trigger it.

GitHub Actions OIDC tokens include an event_name claim. The Anthropic backend appears to validate this against an allowlist that doesn't include pull_request_target.

Workaround
Use pull_request trigger instead (with the limitation that workflow file changes will run the modified workflow, which may be a security concern).

Related

• PR [BUG] CLAUDE_APP_BOT_ID constant uses github-actions[bot] ID (41898282) instead of claude[bot] ID (209825114) #759 - Added pull_request_target support to the action code
• Issue Can't use action in workflow triggered by pull_request_target #347 - Original request for pull_request_target support