anthropics · nathanclevenger · Oct 14, 2025 · Oct 18, 2025 · Oct 19, 2025 · Oct 30, 2025
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -9,7 +9,7 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - uses: oven-sh/setup-bun@v2
         with:
@@ -24,7 +24,7 @@ jobs:
   prettier:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - uses: oven-sh/setup-bun@v1
         with:
@@ -39,7 +39,7 @@ jobs:
   typecheck:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - uses: oven-sh/setup-bun@v2
         with:

diff --git a/.github/workflows/claude-review.yml b/.github/workflows/claude-review.yml
@@ -13,7 +13,7 @@ jobs:
       id-token: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 1
 

diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
@@ -25,7 +25,7 @@ jobs:
       id-token: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 1
 

diff --git a/.github/workflows/issue-triage.yml b/.github/workflows/issue-triage.yml
@@ -14,7 +14,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -19,7 +19,7 @@ jobs:
       next_version: ${{ steps.next_version.outputs.next_version }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -91,7 +91,7 @@ jobs:
       contents: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -116,7 +116,7 @@ jobs:
     environment: production
     steps:
       - name: Checkout base-action repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           repository: anthropics/claude-code-base-action
           token: ${{ secrets.CLAUDE_CODE_BASE_ACTION_PAT }}

diff --git a/CLAUDE.md b/CLAUDE.md
@@ -2,6 +2,53 @@
 
 This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
 
+## ⚠️ CRITICAL: Repository Context
+
+This is a **FORK** of `anthropics/claude-code-action`. This repository is `dot-do/claude-code-action`.
+
+### Pull Request Rules
+
+**NEVER create PRs against `anthropics/claude-code-action`**
+
+- ✅ **CORRECT**: Create PRs in `dot-do/claude-code-action` (this repository)
+- ❌ **WRONG**: Create PRs in `anthropics/claude-code-action` (upstream)
+
+When using `gh pr create`, ALWAYS specify the repository explicitly:
+
+```bash
+# CORRECT - Specify our fork explicitly
+gh pr create --repo dot-do/claude-code-action --base main --title "..." --body "..."
+
+# WRONG - Default behavior may target upstream
+gh pr create --title "..." --body "..."
+```
+
+### Repository Structure
+
+```
+origin   → https://github.com/dot-do/claude-code-action.git      (OUR FORK)
+upstream → https://github.com/anthropics/claude-code-action.git  (UPSTREAM)
+```
+
+**Default behavior**: `gh pr create` targets the upstream repository when working in a fork. This is NOT what we want.
+
+### Syncing with Upstream
+
+To pull changes from upstream Anthropic repository:
+
+```bash
+git fetch upstream
+git merge upstream/main
+git push origin main
+```
+
+### Why This Matters
+
+- **Upstream pollution**: Creating PRs in upstream confuses Anthropic maintainers
+- **Wrong codebase**: Our fork has custom modifications specific to `.do` platform
+- **Permission issues**: We don't have merge rights in upstream repository
+- **Workflow disruption**: PRs in wrong repo waste time and create confusion
+
 ## Development Tools
 
 - Runtime: Bun 1.2.11

diff --git a/action.yml b/action.yml
@@ -246,7 +246,7 @@ runs:
         VERTEX_REGION_CLAUDE_3_7_SONNET: ${{ env.VERTEX_REGION_CLAUDE_3_7_SONNET }}
 
     - name: Update comment with job link
-      if: steps.prepare.outputs.contains_trigger == 'true' && steps.prepare.outputs.claude_comment_id && always()
+      if: steps.prepare.outputs.contains_trigger == 'true' && steps.prepare.outputs.claude_comment_id && !cancelled()
       shell: bash
       run: |
         bun run ${GITHUB_ACTION_PATH}/src/entrypoints/update-comment-link.ts

diff --git a/base-action/README.md b/base-action/README.md
@@ -85,29 +85,32 @@ Add the following to your workflow file:
 
 ## Inputs
 
-| Input                     | Description                                                                                       | Required | Default                      |
-| ------------------------- | ------------------------------------------------------------------------------------------------- | -------- | ---------------------------- |
-| `prompt`                  | The prompt to send to Claude Code                                                                 | No\*     | ''                           |
-| `prompt_file`             | Path to a file containing the prompt to send to Claude Code                                       | No\*     | ''                           |
-| `allowed_tools`           | Comma-separated list of allowed tools for Claude Code to use                                      | No       | ''                           |
-| `disallowed_tools`        | Comma-separated list of disallowed tools that Claude Code cannot use                              | No       | ''                           |
-| `max_turns`               | Maximum number of conversation turns (default: no limit)                                          | No       | ''                           |
-| `mcp_config`              | Path to the MCP configuration JSON file, or MCP configuration JSON string                         | No       | ''                           |
-| `settings`                | Path to Claude Code settings JSON file, or settings JSON string                                   | No       | ''                           |
-| `system_prompt`           | Override system prompt                                                                            | No       | ''                           |
-| `append_system_prompt`    | Append to system prompt                                                                           | No       | ''                           |
-| `claude_env`              | Custom environment variables to pass to Claude Code execution (YAML multiline format)             | No       | ''                           |
-| `model`                   | Model to use (provider-specific format required for Bedrock/Vertex)                               | No       | 'claude-4-0-sonnet-20250219' |
-| `anthropic_model`         | DEPRECATED: Use 'model' instead                                                                   | No       | 'claude-4-0-sonnet-20250219' |
-| `fallback_model`          | Enable automatic fallback to specified model when default model is overloaded                     | No       | ''                           |
-| `anthropic_api_key`       | Anthropic API key (required for direct Anthropic API)                                             | No       | ''                           |
-| `claude_code_oauth_token` | Claude Code OAuth token (alternative to anthropic_api_key)                                        | No       | ''                           |
-| `use_bedrock`             | Use Amazon Bedrock with OIDC authentication instead of direct Anthropic API                       | No       | 'false'                      |
-| `use_vertex`              | Use Google Vertex AI with OIDC authentication instead of direct Anthropic API                     | No       | 'false'                      |
-| `use_node_cache`          | Whether to use Node.js dependency caching (set to true only for Node.js projects with lock files) | No       | 'false'                      |
+| Input                     | Description                                                                                                             | Required | Default                      |
+| ------------------------- | ----------------------------------------------------------------------------------------------------------------------- | -------- | ---------------------------- |
+| `prompt`                  | The prompt to send to Claude Code                                                                                       | No\*     | ''                           |
+| `prompt_file`             | Path to a file containing the prompt to send to Claude Code                                                             | No\*     | ''                           |
+| `allowed_tools`           | Comma-separated list of allowed tools for Claude Code to use                                                            | No       | ''                           |
+| `disallowed_tools`        | Comma-separated list of disallowed tools that Claude Code cannot use                                                    | No       | ''                           |
+| `max_turns`               | Maximum number of conversation turns (default: no limit)                                                                | No       | ''                           |
+| `mcp_config`              | Path to the MCP configuration JSON file, or MCP configuration JSON string                                               | No       | ''                           |
+| `settings`                | Path to Claude Code settings JSON file, or settings JSON string                                                         | No       | ''                           |
+| `system_prompt`           | Override system prompt                                                                                                  | No       | ''                           |
+| `append_system_prompt`    | Append to system prompt                                                                                                 | No       | ''                           |
+| `claude_env`              | Custom environment variables to pass to Claude Code execution (YAML multiline format)                                   | No       | ''                           |
+| `model`                   | Model to use (provider-specific format required for Bedrock/Vertex)                                                     | No       | 'claude-4-0-sonnet-20250219' |
+| `anthropic_model`         | DEPRECATED: Use 'model' instead                                                                                         | No       | 'claude-4-0-sonnet-20250219' |
+| `fallback_model`          | Enable automatic fallback to specified model when default model is overloaded                                           | No       | ''                           |
+| `anthropic_api_key`       | Anthropic API key (required for direct Anthropic API)                                                                   | No       | ''                           |
+| `claude_code_oauth_token` | Claude Code OAuth token (alternative to anthropic_api_key)                                                              | No       | ''                           |
+| `use_bedrock`             | Use Amazon Bedrock with OIDC authentication instead of direct Anthropic API                                             | No       | 'false'                      |
+| `use_vertex`              | Use Google Vertex AI with OIDC authentication instead of direct Anthropic API                                           | No       | 'false'                      |
+| `use_node_cache`          | Whether to use Node.js dependency caching (set to true only for Node.js projects with lock files)                       | No       | 'false'                      |
+| `show_full_output`        | Show full JSON output (⚠️ May expose secrets - see [security docs](../docs/security.md#️-full-output-security-warning)) | No       | 'false'\*\*                  |
 
 \*Either `prompt` or `prompt_file` must be provided, but not both.
 
+\*\*`show_full_output` is automatically enabled when GitHub Actions debug mode is active. See [security documentation](../docs/security.md#️-full-output-security-warning) for important security considerations.
+
 ## Outputs
 
 | Output           | Description                                                |
@@ -336,7 +339,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 

diff --git a/base-action/examples/issue-triage.yml b/base-action/examples/issue-triage.yml
@@ -32,7 +32,7 @@ jobs:
                   "--rm",
                   "-e",
                   "GITHUB_PERSONAL_ACCESS_TOKEN",
-                  "ghcr.io/github/github-mcp-server:sha-7aced2b"
+                  "ghcr.io/github/github-mcp-server:sha-23fa0dd"
                 ],
                 "env": {
                   "GITHUB_PERSONAL_ACCESS_TOKEN": "${{ secrets.GITHUB_TOKEN }}"

diff --git a/base-action/src/index.ts b/base-action/src/index.ts
@@ -2,14 +2,28 @@
 
 import * as core from "@actions/core";
 import { preparePrompt } from "./prepare-prompt";
-import { runClaude } from "./run-claude";
+import { runClaudeWithRetry } from "./run-claude";
 import { setupClaudeCodeSettings } from "./setup-claude-code-settings";
 import { validateEnvironmentVariables } from "./validate-env";
+import { startProxyServer, getProxyUrl, shouldUseProxy } from "./proxy-server";
 
 async function run() {
   try {
     validateEnvironmentVariables();
 
+    // Start local HTTP proxy server for claude-lb (supports multiple modes)
+    const proxyPort = await startProxyServer();
+
+    // Only route through proxy if credentials are available
+    if (shouldUseProxy()) {
+      process.env.ANTHROPIC_BASE_URL = getProxyUrl();
+      console.log(`\n🔀 Claude API requests routed through claude-lb proxy`);
+      console.log(`   Benefits: Centralized monitoring, observability, and multi-provider failover`);
+    } else {
+      console.log(`\n⚡️ Using direct Anthropic API (no proxy)`);
+      console.log(`   To enable monitoring, set ANTHROPIC_API_KEY in secrets`);
+    }
+
     await setupClaudeCodeSettings(
       process.env.INPUT_SETTINGS,
       undefined, // homeDir
@@ -20,7 +34,7 @@ async function run() {
       promptFile: process.env.INPUT_PROMPT_FILE || "",
     });
 
-    await runClaude(promptConfig.path, {
+    await runClaudeWithRetry(promptConfig.path, {
       claudeArgs: process.env.INPUT_CLAUDE_ARGS,
       allowedTools: process.env.INPUT_ALLOWED_TOOLS,
       disallowedTools: process.env.INPUT_DISALLOWED_TOOLS,