chore: Update CHANGELOG.md and feed.xml

Use workload identity federation for Claude auth in CI workflows (#61584 )
Replace the static ANTHROPIC_API_KEY secret with Workload Identity Federation inputs in claude.yml, claude-issue-triage.yml, and claude-dedupe-issues.yml. The federation rule, organization, service account, and workspace IDs are read from repository variables.
2026-06-14 17:34:56 +00:00 · 2026-05-23 04:03:45 +00:00 · 2026-05-22 15:55:40 -07:00
5 changed files with 37 additions and 11 deletions
--- a/.github/workflows/claude-dedupe-issues.yml
+++ b/.github/workflows/claude-dedupe-issues.yml
@@ -17,6 +17,8 @@ jobs:
    permissions:
      contents: read
      issues: write
+      # Required to mint the OIDC token exchanged for a Claude API access token (Workload Identity Federation)
+      id-token: write

    steps:
      - name: Checkout repository
@@ -31,7 +33,13 @@ jobs:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          allowed_non_write_users: "*"
          prompt: "/dedupe ${{ github.repository }}/issues/${{ github.event.issue.number || inputs.issue_number }}"
-          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          # Authenticate to the Claude API via Workload Identity Federation
+          # (the workflow's OIDC token is exchanged for a short-lived access
+          # token) instead of a static API key.
+          anthropic_federation_rule_id: ${{ vars.ANTHROPIC_FEDERATION_RULE_ID }}
+          anthropic_organization_id: ${{ vars.ANTHROPIC_ORGANIZATION_ID }}
+          anthropic_service_account_id: ${{ vars.ANTHROPIC_SERVICE_ACCOUNT_ID }}
+          anthropic_workspace_id: ${{ vars.ANTHROPIC_WORKSPACE_ID }}
          claude_args: "--model claude-sonnet-4-5-20250929"

      - name: Log duplicate comment event to Statsig
--- a/.github/workflows/claude-issue-triage.yml
+++ b/.github/workflows/claude-issue-triage.yml
@@ -18,6 +18,8 @@ jobs:
    permissions:
      contents: read
      issues: write
+      # Required to mint the OIDC token exchanged for a Claude API access token (Workload Identity Federation)
+      id-token: write

    steps:
      - name: Checkout repository
@@ -34,6 +36,12 @@ jobs:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          allowed_non_write_users: "*"
          prompt: "/triage-issue REPO: ${{ github.repository }} ISSUE_NUMBER: ${{ github.event.issue.number }} EVENT: ${{ github.event_name }}"
-          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          # Authenticate to the Claude API via Workload Identity Federation
+          # (the workflow's OIDC token is exchanged for a short-lived access
+          # token) instead of a static API key.
+          anthropic_federation_rule_id: ${{ vars.ANTHROPIC_FEDERATION_RULE_ID }}
+          anthropic_organization_id: ${{ vars.ANTHROPIC_ORGANIZATION_ID }}
+          anthropic_service_account_id: ${{ vars.ANTHROPIC_SERVICE_ACCOUNT_ID }}
+          anthropic_workspace_id: ${{ vars.ANTHROPIC_WORKSPACE_ID }}
          claude_args: |
            --model claude-opus-4-6
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -33,6 +33,12 @@ jobs:
        id: claude
        uses: anthropics/claude-code-action@v1
        with:
-          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          # Authenticate to the Claude API via Workload Identity Federation
+          # (the workflow's OIDC token is exchanged for a short-lived access
+          # token) instead of a static API key.
+          anthropic_federation_rule_id: ${{ vars.ANTHROPIC_FEDERATION_RULE_ID }}
+          anthropic_organization_id: ${{ vars.ANTHROPIC_ORGANIZATION_ID }}
+          anthropic_service_account_id: ${{ vars.ANTHROPIC_SERVICE_ACCOUNT_ID }}
+          anthropic_workspace_id: ${{ vars.ANTHROPIC_WORKSPACE_ID }}
          claude_args: "--model claude-sonnet-4-5-20250929"

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog

+## 2.1.150
+
+- Internal infrastructure improvements (no user-facing changes)
+
 ## 2.1.149

 - `/usage` now shows a per-category breakdown of what's driving your limits usage — skills, subagents, plugins, and per-MCP-server cost
--- a/feed.xml
+++ b/feed.xml
@@ -6,7 +6,14 @@
  <author><name>Anthropic</name></author>
  <link rel="alternate" type="text/html" href="https://github.com/anthropics/claude-code/blob/main/CHANGELOG.md"/>
  <link rel="self" type="application/atom+xml" href="https://raw.githubusercontent.com/anthropics/claude-code/main/feed.xml"/>
-  <updated>2026-05-22T22:09:22Z</updated>
+  <updated>2026-05-23T04:03:45Z</updated>
+  <entry>
+    <id>https://github.com/anthropics/claude-code/releases/tag/v2.1.150</id>
+    <title>Claude Code v2.1.150</title>
+    <link rel="alternate" type="text/html" href="https://github.com/anthropics/claude-code/releases/tag/v2.1.150"/>
+    <updated>2026-05-23T04:03:45Z</updated>
+    <content type="html">&lt;p&gt;• Internal infrastructure improvements (no user-facing changes)&lt;/p&gt;</content>
+  </entry>
  <entry>
    <id>https://github.com/anthropics/claude-code/releases/tag/v2.1.149</id>
    <title>Claude Code v2.1.149</title>
@@ -629,11 +636,4 @@
 &lt;p&gt;• PowerShell tool: bare -- (e.g. git diff -- file) is no longer mis-flagged as the --% stop-parsing token&lt;/p&gt;
 &lt;p&gt;• Fixed Agent SDK hang when the model emits a malformed tool name in a parallel tool call batch&lt;/p&gt;</content>
  </entry>
-  <entry>
-    <id>https://github.com/anthropics/claude-code/releases/tag/v2.1.123</id>
-    <title>Claude Code v2.1.123</title>
-    <link rel="alternate" type="text/html" href="https://github.com/anthropics/claude-code/releases/tag/v2.1.123"/>
-    <updated>2026-05-18T01:52:01Z</updated>
-    <content type="html">&lt;p&gt;• Fixed OAuth authentication failing with a 401 retry loop when CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS=1 is set&lt;/p&gt;</content>
-  </entry>
 </feed>