engine: claude — ANTHROPIC_API_KEY not reaching Claude Code CLI inside sandbox (apiKeySource: none)

[dduran28]

Description

Claude engine workflows fail with EHOSTUNREACH because the ANTHROPIC_API_KEY is not reaching the Claude Code CLI inside the sandbox container. The CLI reports apiKeySource: "none" at init.

Environment

• gh aw CLI: v0.63.0
• Claude Code CLI: 2.1.81 (installed by gh-aw runtime)
• Repo: private, GitHub Teams plan
• OS: ubuntu-latest (GitHub-hosted runner)

Steps to Reproduce

1. Create a simple Claude daemon spec:

---
description: "Test daemon"
strict: false
timeout-minutes: 20
on:
  pull_request:
    types: [opened]
engine:
  id: claude
  model: claude-opus-4-20250514
permissions:
  contents: read
tools:
  github:
    toolsets: [pull_requests]
  bash: true
network:
  allowed: [defaults, api.anthropic.com]
---
# Test
Say hello.

2. Set ANTHROPIC_API_KEY as a repo secret (confirmed via gh secret list)
3. Compile: gh aw compile (succeeds, 0 errors)
4. Push and trigger on a PR

Expected Behavior

Claude Code CLI should receive the API key via the one-shot token mechanism and connect to api.anthropic.com.

Actual Behavior

The workflow runs through all setup steps successfully:

• ✅ Validate ANTHROPIC_API_KEY secret step passes (✅ ANTHROPIC_API_KEY: Configured)
• ✅ API proxy health check passes (✓ Anthropic API proxy is reachable at http://172.30.0.30:10001)
• ✅ ANTHROPIC_AUTH_TOKEN is placeholder value (correct)
• ✅ One-shot token library copied to chroot
• ❌ Claude Code CLI reports apiKeySource: "none" at init
• ❌ All 10 API retry attempts fail with error: "unknown"
• ❌ Final error: API Error: Unable to connect to API (EHOSTUNREACH)

Firewall logs show only 1 request to raw.githubusercontent.com — Claude Code never attempts to reach api.anthropic.com or the API proxy.

Key Log Lines

[health-check] ✓ Anthropic API proxy is reachable at http://172.30.0.30:10001
[entrypoint] One-shot token library copied to chroot at /tmp/awf-lib/one-shot-token.so
[entrypoint] Unsetting sensitive tokens from parent shell environment...
{"apiKeySource":"none","claude_code_version":"2.1.81"}
{"subtype":"api_retry","attempt":1,"error_status":null,"error":"unknown"}
...
{"text":"API Error: Unable to connect to API (EHOSTUNREACH)"}

What I've Tried

• strict: true (default) — same failure
• strict: false — same failure
• network.allowed: [defaults, api.anthropic.com] — same failure
• Upgraded from gh-aw v0.62.5 to v0.63.0 — same failure
• Confirmed ANTHROPIC_API_KEY is a valid repo secret (used successfully by anthropics/claude-code-action@beta in another workflow in the same repo)

Notes

The gh-aw Claude smoke test (smoke-claude.md) in this repo passes. The key difference may be that the smoke test is compiled/run within the gh-aw CI infrastructure, while our workflow is in an external private repo. The compiled lock files look structurally identical.

Failed run: https://github.com/quitgenius/pelago-aiml/actions/runs/23497638247/job/68379397069

[dduran28]

Additional findings from extensive debugging

We've tried 5 different configurations — all fail identically with apiKeySource: "none":

Try	Config	Result
1	network.allowed: [defaults, api.anthropic.com]	EHOSTUNREACH
2	engine.env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}	EHOSTUNREACH
3	engine.version: "2.1.52" (pinned)	EHOSTUNREACH
4	engine: claude (minimal, matching smoke test exactly)	EHOSTUNREACH
5	engine.env: ANTHROPIC_BASE_URL: http://172.30.0.30:10001 + ANTHROPIC_API_KEY: placeholder-token-for-credential-isolation	EHOSTUNREACH

Root cause identified

The entrypoint creates an apiKeyHelper config:

[entrypoint] Claude Code API key helper configured: /usr/local/bin/get-claude-key.sh
[entrypoint] ✓ Created /host/home/runner/.claude.json with apiKeyHelper: /usr/local/bin/get-claude-key.sh

But Claude Code v2.1.81 does not pick this up — it reports apiKeySource: "none" immediately after init. The apiKeyHelper mechanism appears broken in the current CLI version when running inside the chroot sandbox.

The sequence is:

1. Entrypoint strips ANTHROPIC_API_KEY from env ✅
2. Entrypoint writes .claude.json with apiKeyHelper pointing to get-claude-key.sh ✅
3. Entrypoint copies one-shot-token.so to chroot ✅
4. API proxy health check passes ✅ (http://172.30.0.30:10001 is reachable)
5. Claude Code CLI starts, does NOT read apiKeyHelper config ❌
6. Reports apiKeySource: "none" ❌
7. Never attempts any API call (0 requests in firewall logs, only raw.githubusercontent.com for CLAUDE.md)
8. Retries 10x against nothing, EHOSTUNREACH ❌

Key observation

Even setting ANTHROPIC_BASE_URL and ANTHROPIC_API_KEY directly via engine.env doesn't help — the entrypoint overwrites our values with its own apiKeyHelper config regardless.

Environment

• gh-aw CLI: v0.63.0
• gh-aw-firewall agent container: 0.25.0
• Claude Code CLI: 2.1.81 (installed at runtime via npm install -g @anthropic-ai/claude-code@latest)
• Repo: private, GitHub Teams plan
• All 5 failed runs: https://github.com/quitgenius/pelago-aiml/actions?query=workflow%3A%22PR+Helper%22

[dduran28]

Found the likely root cause: config file path mismatch

The AWF entrypoint writes the apiKeyHelper config to:

/host/home/runner/.claude.json

But Claude Code v2.1.81 reads apiKeyHelper from:

~/.claude/settings.json

These are different files. The --bare flag docs confirm: "apiKeyHelper via --settings" — it's a settings key, not a .claude.json key.

In the compiled lock file, the claude command is invoked as:

claude --print --disable-slash-commands --no-chrome --mcp-config ... --verbose --permission-mode bypassPermissions --output-format stream-json "..."

There is NO --settings /home/runner/.claude.json flag. So Claude Code never reads the apiKeyHelper config that the entrypoint wrote.

The gh-aw smoke test may work because:

1. The smoke test repo might have a .claude/settings.json checked into the repo with apiKeyHelper configured
2. Or the smoke test uses a different AWF container image version where the entrypoint writes to the correct path
3. Or the smoke test's Claude Code version reads from .claude.json (older versions may have used this path)

Suggested fix: The entrypoint should either:

• Write apiKeyHelper to ~/.claude/settings.json instead of ~/.claude.json
• OR the compiled lock file should pass --settings /home/runner/.claude.json to the claude command