benissimo · May 26, 2026 13:16
diff --git a/wif-poc-redacted.yml b/wif-poc-redacted.yml
 # Proof-of-concept: authenticate to the Anthropic API from GitHub Actions
 # via Workload Identity Federation (WIF) — no long-lived ANTHROPIC_API_KEY.
 #
 # Verified working end-to-end against the existing Anthropic API tier
 # (no Enterprise contract required). Full exchange in ~3 seconds.
 #
 # Audit event from a successful run shows outcome: success, with
 # user_agent: anthropic-python/0.104.1, subject: repo:OWNER/REPO:
 # ref:refs/heads/main, requested_service_account_id matching the
 # configured service account.
 #
 # IDs below are placeholders — substitute your own from Claude Console
 # (Settings -> Workload identity for the rule + issuer, Settings ->
 # Service accounts for the service account, Settings -> Organization
 # for the org UUID). Federation rule should pin subject_prefix to the
 # specific repo + ref you intend to dispatch from, with audience
 # https://api.anthropic.com.

 name: WIF POC

 on:
  workflow_dispatch:

 permissions:
  id-token: write
  contents: read

 jobs:
  call-claude-via-wif:
    runs-on: ubuntu-latest
    timeout-minutes: 5
    env:
      ANTHROPIC_FEDERATION_RULE_ID: fdrl_xxxxxxxxxxxxxxxxxxxxxxxx
      ANTHROPIC_ORGANIZATION_ID: 00000000-0000-0000-0000-000000000000
      ANTHROPIC_SERVICE_ACCOUNT_ID: svac_xxxxxxxxxxxxxxxxxxxxxxxx
      ANTHROPIC_IDENTITY_TOKEN_FILE: /tmp/gha-jwt
    steps:
      - name: Fetch GitHub OIDC token
        run: |
          curl -sS -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
            "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=https://api.anthropic.com" \
            | jq -r .value > "$ANTHROPIC_IDENTITY_TOKEN_FILE"
          test -s "$ANTHROPIC_IDENTITY_TOKEN_FILE"

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.12"

      - name: Install Anthropic SDK
        run: pip install --quiet anthropic

      - name: Call Claude via WIF
        run: |
          python - <<'PY'
          from anthropic import Anthropic
          client = Anthropic()
          msg = client.messages.create(
              model="claude-sonnet-4-6",
              max_tokens=64,
              messages=[{"role": "user", "content": "Respond with exactly: WIF exchange succeeded."}],
          )
          print(msg.content[0].text)
          PY
	# Proof-of-concept: authenticate to the Anthropic API from GitHub Actions
	# via Workload Identity Federation (WIF) — no long-lived ANTHROPIC_API_KEY.
	#
	# Verified working end-to-end against the existing Anthropic API tier
	# (no Enterprise contract required). Full exchange in ~3 seconds.
	#
	# Audit event from a successful run shows outcome: success, with
	# user_agent: anthropic-python/0.104.1, subject: repo:OWNER/REPO:
	# ref:refs/heads/main, requested_service_account_id matching the
	# configured service account.
	#
	# IDs below are placeholders — substitute your own from Claude Console
	# (Settings -> Workload identity for the rule + issuer, Settings ->
	# Service accounts for the service account, Settings -> Organization
	# for the org UUID). Federation rule should pin subject_prefix to the
	# specific repo + ref you intend to dispatch from, with audience
	# https://api.anthropic.com.

	name: WIF POC

	on:
	workflow_dispatch:

	permissions:
	id-token: write
	contents: read

	jobs:
	call-claude-via-wif:
	runs-on: ubuntu-latest
	timeout-minutes: 5
	env:
	ANTHROPIC_FEDERATION_RULE_ID: fdrl_xxxxxxxxxxxxxxxxxxxxxxxx
	ANTHROPIC_ORGANIZATION_ID: 00000000-0000-0000-0000-000000000000
	ANTHROPIC_SERVICE_ACCOUNT_ID: svac_xxxxxxxxxxxxxxxxxxxxxxxx
	ANTHROPIC_IDENTITY_TOKEN_FILE: /tmp/gha-jwt
	steps:
	- name: Fetch GitHub OIDC token
	run: \|
	curl -sS -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
	"$ACTIONS_ID_TOKEN_REQUEST_URL&audience=https://api.anthropic.com" \
	\| jq -r .value > "$ANTHROPIC_IDENTITY_TOKEN_FILE"
	test -s "$ANTHROPIC_IDENTITY_TOKEN_FILE"

	- name: Set up Python
	uses: actions/setup-python@v5
	with:
	python-version: "3.12"

	- name: Install Anthropic SDK
	run: pip install --quiet anthropic

	- name: Call Claude via WIF
	run: \|
	python - <<'PY'
	from anthropic import Anthropic
	client = Anthropic()
	msg = client.messages.create(
	model="claude-sonnet-4-6",
	max_tokens=64,
	messages=[{"role": "user", "content": "Respond with exactly: WIF exchange succeeded."}],
	)
	print(msg.content[0].text)
	PY
No results found