Major Update for Pro / Max subscriber using @claude github action
TLDR;
- Releasing a new Claude Installer script which enable
@claudeon any of your repo in under a minute. - Fixing issues with previous oauth implementation. (tokens expiring and conflict with local setup)
Full Article
It has been a whole month that Anthropic released its @claude github action. Yet there is still no clear communications about supporting Pro and Max subscriptions (see github issue).
Few days after the launch, I released this oauth fork allowing Max / Pro subscribers to use @claude on github without creating a new API key and paying per usage.
The fork has worked great for many users and I saw quite a lot of engagement around it.
However there were quite a few issues around our approach to authenticate with the Pro / Max subscription:
- Authentication tokens copied from the local environment would eventually expire after 8 hours of being created. This would make the action fail and required manual intervention to update the tokens.
- Copying local authentication tokens would not properly create a new oauth authentication chain in the CI environment. This issue would manifest when refreshing token locally for example invalidating the CI authentication tokens.
- By solving the 2 issues above, the setup became slightly more complex. A couple of github actions are required and a few steps in the github UI are required to properly configure
@claudeon your own repo.
The community has quickly gathered around this issue to fix the token expiry problem.
Together we tried and explored many options before finding the ideal solution: a new one-time use github action that performs the login flow for you directly from within the github UI and set the necessary secrets on your repo.
Because the new login github action let you perform the whole authentication flow from within the CI environment, it creates also a whole independent oauth chain meaning there is no more conflict with your local credentials.
In addition to the new github action, we also updated the claude-code-action fork. It now reads the expiry date value. If it detects that the tokens are expired or will expire in less than an hour then it will automatically refresh the tokens (and the corresponding github secrets).
Because both actions write to your repository secrets, a github personal access token (PAT) must be created allowing secrets:write permission on your repository. This corresponds to the new inputs secrets_admin_pat that you can find on both grll/claude-code-action and grll/claude-code-login as in:
- name: Run Claude PR Action
uses: grll/claude-code-action@beta
with:
use_oauth: true
claude_access_token: ${{ secrets.CLAUDE_ACCESS_TOKEN }}
claude_refresh_token: ${{ secrets.CLAUDE_REFRESH_TOKEN }}
claude_expires_at: ${{ secrets.CLAUDE_EXPIRES_AT }}
secrets_admin_pat: ${{ secrets.SECRETS_ADMIN_PAT }}
timeout_minutes: "60"
For backward compatibility and also to not force anyone uncomfortable with the idea of using PAT, the grll/claude-code-action would still work even without the secrets_admin_pat specified but it won't refresh the tokens when reaching expiry.
Finally and maybe most importantly, because it has become quite a few things to configure manually (couple github workflows, PAT token to create etc..) I have wrapped the whole procedure in a bash script. The new Claude Installer allows you in one command to set everything up for your repository.
Here is how it works:
# cd into your repo
bash <(curl -fsSL https://raw.githubusercontent.com/grll/claude-code-action/main/scripts/installer.sh)
And that's it! The script will setup the 2 github workflows, prompt you to create a PAT and will guide you through the rest:
