claude-code-action fails when actions/checkout uses persist-credentials: false

[Guthman]

Summary

anthropics/claude-code-action@v1 fails during branch setup when the preceding actions/checkout step is configured with persist-credentials: false. The action's setupBranch runs git fetch origin <ref> before configuring its own git auth, so with no persisted credentials the fetch exits with could not read Username for 'https://github.com'.

This blocks users from following zizmor's artipacked recommendation, which is the mitigation for the well-known class of bugs where a persisted GITHUB_TOKEN leaks via artifact upload or a later step reading .git/config.

Reproduction

Use the template generated by /install-github-app, but add persist-credentials: false to the checkout step:

steps:
  - name: Checkout repository
    uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
    with:
      fetch-depth: 1
      persist-credentials: false

  - name: Run Claude Code
    uses: anthropics/claude-code-action@38ec876110f9fbf8b950c79f534430740c3ac009 # v1
    with:
      claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

Trigger the workflow (e.g. by @claude in an issue comment).

Actual behaviour

Source branch SHA: <sha>
Creating local branch claude/issue-<n>-<ts> for issue #<n> from source branch: master...
Fetching and checking out source branch: master
fatal: could not read Username for 'https://github.com': No such device or address
Error in branch setup: ...
    at execGit (/home/runner/work/_actions/anthropics/claude-code-action/<sha>/src/github/operations/branch.ts:123:3)
    at setupBranch (/home/runner/work/_actions/anthropics/claude-code-action/<sha>/src/github/operations/branch.ts:299:5)
    at async prepareTagMode (/home/runner/work/_actions/anthropics/claude-code-action/<sha>/src/modes/tag/index.ts:66:28)
    at async run (/home/runner/work/_actions/anthropics/claude-code-action/<sha>/src/entrypoints/run.ts:216:17)

error: Command failed: git fetch origin master --depth=1

Expected behaviour

The action should be usable without relying on credentials persisted by actions/checkout. It already receives an OAuth token and can exchange it for an installation token (that flow already exists in configureGitAuth). Running that auth setup before any git fetch in setupBranch — or accepting an explicit github_token input used for the fetch — would let users keep persist-credentials: false on checkout.

Related

• configureGitAuth function incompatible with actions/checkout@v4.3.1,v5.0.1,v6 #907 / Fix configureGitAuth for actions/checkout@v6 credential storage #920 — these cover a different but adjacent issue (checkout v6's includeIf credential taking precedence during git push). Both assume persist-credentials: true and fix the write path. The scenario here is the read path when persist-credentials: false is explicitly set.
• Use immutable github releases #1099 — upstream pinning strategy (not the user-facing template).

Workaround

Drop persist-credentials: false from the checkout step and strip the persisted header in a trailing step:

- name: Strip persisted git credentials
  if: always()
  run: git config --unset-all http.https://github.com/.extraheader || true

This keeps the action working but leaves the token in .git/config for the duration of the action's own steps, so it is not equivalent to the zizmor recommendation.

Separately — unrelated nit about the generated template

The workflow files produced by /install-github-app reference actions/checkout@v4 and anthropics/claude-code-action@v1 by mutable tag, which fails zizmor's unpinned-uses audit (a hard error in the default config). Templates that follow <action>@<sha> # <tag> would pass out of the box. Flagging for awareness; happy to open a separate issue if preferred.

Environment

• Runner: ubuntu-latest
• actions/checkout: v6 (de0fac2e4500dabe0009e67214ff5f5447ce83dd)
• anthropics/claude-code-action: v1 (38ec876110f9fbf8b950c79f534430740c3ac009)