Encountered a "Workflow validation failed" error in a reusable workflow

[kokuyouwind]

Describe the bug

I am using a Claude code action via a reusable workflow.

Around the execution on or after August 12, 1:00 UTC, I started encountering the following error during Exchanging OIDC token for app token: App token exchange failed: 401 Unauthorized - Workflow validation failed. The workflow file must exist and have identical content to the version on the repository's default branch.

To Reproduce
Steps to reproduce the behavior:

1. Make reusable workflow at shared_actions repository
2. Make workflow uses 1. at another repository
3. Run 2. workflow

Expected behavior

Successfully Complete execution
(The run on Aug 11, 7:41 UTC completed without issues, as far as I can tell)

Screenshots

Requesting OIDC token...
Attempt 1 of 3...
OIDC token successfully obtained
Exchanging OIDC token for app token...
Attempt 1 of 3...
App token exchange failed: 401 Unauthorized - Workflow validation failed. The workflow file must exist and have identical content to the version on the repository's default branch.
Attempt 1 failed: Workflow validation failed. The workflow file must exist and have identical content to the version on the repository's default branch.
Retrying in 5 seconds...
Attempt 2 of 3...
App token exchange failed: 401 Unauthorized - Workflow validation failed. The workflow file must exist and have identical content to the version on the repository's default branch.
Retrying in 10 seconds...
Attempt 2 failed: Workflow validation failed. The workflow file must exist and have identical content to the version on the repository's default branch.
Attempt 3 of 3...
App token exchange failed: 401 Unauthorized - Workflow validation failed. The workflow file must exist and have identical content to the version on the repository's default branch.
Attempt 3 failed: Workflow validation failed. The workflow file must exist and have identical content to the version on the repository's default branch.
Error: Failed to setup GitHub token: Error: Workflow validation failed. The workflow file must exist and have identical content to the version on the repository's default branch..

If you instead wish to use this action with a custom GitHub token or custom GitHub app, provide a `github_token` in the `uses` section of the app in your workflow yml file.
Operation failed after 3 attempts
Error: Process completed with exit code 1.

Workflow yml file

reusable workflow file:

name: Claude Code

on:
  workflow_call:
    inputs:
    secrets:
      anthropic-api-key:
        description: 'Anthropic API Key'
        required: true
      github-app-id:
        description: 'GitHub App ID'
        required: true
      github-app-pem:
        description: 'GitHub App PEM'
        required: true

jobs:
  claude:
    if: |
      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
    runs-on: ubuntu-latest
    timeout-minutes: 30
    permissions:
      contents: write
      pull-requests: write
      issues: write
      id-token: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: true

      - name: Create github app token
        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
        id: github_app_token
        with:
          app-id: ${{ secrets.github-app-id }}
          private-key: ${{ secrets.github-app-pem }}
          owner: ${{ github.repository_owner }}
          repositories: shared-actions
          permission-contents: read

      - name: Run Claude Code
        id: claude
        uses: anthropics/claude-code-action@00f9595fb44d49fdc15049286d89247d29a08f2b # beta
        with:
          anthropic_api_key: ${{ secrets.anthropic-api-key }}
          trigger_phrase: '@claude'

workflow uses above (I've replaced the organization name with "myrepos" since it is a private repository belonging to my company.):

name: Claude Code

on:
  issue_comment:
    types: [created]
  pull_request_review_comment:
    types: [created]
  issues:
    types: [opened, assigned]
  pull_request_review:
    types: [submitted]

jobs:
  claude:
    uses: myrepos/shared-actions/.github/workflows/claude.yml
    secrets:
      anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
      github-app-id: ${{ vars.SHARED_ACTION_GITHUB_APP_ID }}
      github-app-pem: ${{ secrets.SHARED_ACTION_GITHUB_APP_PEM }}

API Provider

[x] Anthropic First-Party API (default)
[ ] AWS Bedrock
[ ] GCP Vertex

[phclark]

Also experiencing this, using AWS Bedrock as a provider. It was previously working as of earlier today. Downgrading to an older version of the action didn't seem to help.

[kokuyouwind]

Based on the error message, it seems the issue is occurring at exchangeForAppToken.

claude-code-action/src/github/token.ts

Lines 19 to 40 in 8b2bd6d

	async function exchangeForAppToken(oidcToken: string): Promise<string> {
	const response = await fetch(
	"https://api.anthropic.com/api/github/github-app-token-exchange",
	{
	method: "POST",
	headers: {
	Authorization: `Bearer ${oidcToken}`,
	},
	},
	);
	if (!response.ok) {
	const responseJson = (await response.json()) as {
	error?: {
	message?: string;
	};
	};
	console.error(
	`App token exchange failed: ${response.status} ${response.statusText} - ${responseJson?.error?.message ?? "Unknown error"}`,
	);
	throw new Error(`${responseJson?.error?.message ?? "Unknown error"}`);
	}

I suspect the specification for POST https://api.anthropic.com/api/github/github-app-token-exchange might have changed. Does anyone know if this is the case?

[awittzb]

I am experiencing the same thing w/ the same conditions as described in the OP. Using the Claude Code GitHub App for auth, with the call chain

1. workflow my-repo/.github/workflows/ai-review.yaml
   ⬇️
2. re-usable workflow my-actions-repo/.github/workflows/reusable-ai-review.yaml@v3
   ⬇️
3. composite action my-actions-repo/claude-review@v3
   ⬇️
4. action anthropics/claude-code-action@beta

Error text for search...

Run bun run ${GITHUB_ACTION_PATH}/src/entrypoints/prepare.ts
Requesting OIDC token...
Attempt 1 of 3...
OIDC token successfully obtained
Exchanging OIDC token for app token...
Attempt 1 of 3...
App token exchange failed: 401 Unauthorized - Workflow validation failed. The workflow file must exist and have identical content to the version on the repository's default branch.
Retrying in 5 seconds...
Attempt 1 failed: Workflow validation failed. The workflow file must exist and have identical content to the version on the repository's default branch.
Attempt 2 of 3...
App token exchange failed: 401 Unauthorized - Workflow validation failed. The workflow file must exist and have identical content to the version on the repository's default branch.
Retrying in 10 seconds...
Attempt 2 failed: Workflow validation failed. The workflow file must exist and have identical content to the version on the repository's default branch.
Attempt 3 of 3...
App token exchange failed: 401 Unauthorized - Workflow validation failed. The workflow file must exist and have identical content to the version on the repository's default branch.
Attempt 3 failed: Workflow validation failed. The workflow file must exist and have identical content to the version on the repository's default branch.
Error: Failed to setup GitHub token: Error: Workflow validation failed. The workflow file must exist and have identical content to the version on the repository's default branch..

If you instead wish to use this action with a custom GitHub token or custom GitHub app, provide a `github_token` in the `uses` section of the app in your workflow yml file.
Operation failed after 3 attempts
Error: Process completed with exit code 1.

Workarounds

Local Workflow

If I attempt to use it in my-actions-repo with a "local" workflow, call, i.e.

my-actions-repo/.github/workflows/pr-check.yaml:

jobs:
  claude-review:
    uses: ./.github/workflows/reusable-ai-review.yaml

Then it works. Of course, that only works for the repository that hosts my re-usable Claude Review workflow.

Token Auth

If I switch my claude-review action to invoke anthropics/claude-code-action@beta with my own GitHub token - even the built-in one - instead of relying on the Claude Code GitHub App, e.g.

my-actions-repo/claude-review/action.yaml:

- name: '🤖 Run Claude Review'
  uses: anthropics/claude-code-action@beta
  with:
    ...
    github_token: ${{ inputs.github-token }}

Then, it works. However, the comments are posted by whoever "owns" the token, instead of "Claude". In my case, I used ${{ secrets.GITHUB_TOKEN }} so the comments are posted by github-actions[bot].

HTH!

[scott-hannan]

We are also experiencing this using both reusable workflows and triggering this action in the repo where it lives on pull request. It was working Aug 11 on v0.0.44, we had an automated version bump on Aug 12 to v0.0.45 and I manually tried v0.0.55 and tried downgrading back to v.0.0.44 but that did not fix it.

Not sure if related but right after we are also seeing a failure in the curl that happens here:

claude-code-action/action.yml

Lines 287 to 296 in a80505b

	- name: Revoke app token
	if: always() && inputs.github_token == ''
	shell: bash
	run: |
	curl -L \
	-X DELETE \
	-H "Accept: application/vnd.github+json" \
	-H "Authorization: Bearer ${{ steps.prepare.outputs.GITHUB_TOKEN }}" \
	-H "X-GitHub-Api-Version: 2022-11-28" \
	${GITHUB_API_URL:-https://api.github.com}/installation/token

[ashwin-ant]

Thanks all, we're looking into this. There was a recent change to our backend endpoint to make it stricter with validation to prevent unauthorized tampering of the workflow file. It checks to verify that the workflow being run matches what's on the default branch.

[kokuyouwind]

@ashwin-ant
Thank you for the information!

Regarding the stricter validation, are there any plans to modify it to prevent false positives from occurring in reusable workflows or pull requests to different repositories? Or, for these use cases, should we stop using the GitHub App and switch to individual PATs instead?

[jiaxin-lin]

The workflow for us should be the same on the default branch. It is still facing this issue.

We run the workflow in repo A that calls a reusable workflow in repo B, they are both under the same org. the reusable workflow is under default branch. We started experiencing this yesterday

[ashwin-ant]

We believe we have a fix, will report back once there's more to share!

[ashwin-ant]

We just rolled out a fix for this. Are people still running into this issue?

[phclark]

I'm still seeing the issue

[ashwin-ant]

@phclark can you share more about your workflow setup?

[phclark]

We use Workflows defined in various repositories which leverage a shared action as a wrapper around this action.
The workflows look roughly like:

name: Claude Auto Review

on:
  pull_request:
    types: [opened, synchronize]

jobs:
  auto-review:
    runs-on: our-runners    
    permissions:
      contents: read
      pull-requests: read
      id-token: write
      statuses: read
      checks: read
      actions: read
      
    steps:
    - name: Checkout repository
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        fetch-depth: 1

    - name: Automatic PR Review
      uses: OurOrg/claude-code-action@main
      with:
        model: "us.anthropic.claude-sonnet-4-20250514-v1:0"
        max_turns: "30"
        timeout_minutes: "60"
        direct_prompt: |
          Review this pull request ... <full prompt omitted>

While our shared action.yml file looks like:

name: 'Claude PR Assistant'
description: 'Shared action for Claude PR reviews'
inputs:
  model:
    description: 'Claude model to use'
    required: false
    default: 'us.anthropic.claude-sonnet-4-20250514-v1:0'
  max_turns:
    description: 'Maximum number of turns for Claude interaction'
    required: false
    default: '30'
  timeout_minutes:
    description: 'Timeout in minutes for the action'
    required: false
    default: '60'
  direct_prompt:
    description: 'Direct prompt for Claude (for auto-review scenarios)'
    required: false
    default: ''
  use_sticky_comment:
    description: 'Whether to use sticky comments'
    required: false
    default: 'true'
  additional_permissions:
    description: 'Additional permissions for the action'
    required: false
    default: |
      actions: read
  skip_draft_prs:
    description: 'Skip running Claude on draft PRs'
    required: false
    default: 'true'

runs:
  using: 'composite'
  steps:
    - name: Run Claude PR Action
      uses: anthropics/claude-code-action@a80505bbfb8296afe47872cf5ada5b2034ad8c45
      with:
        use_bedrock: "true"
        model: ${{ inputs.model }}
        max_turns: ${{ inputs.max_turns }}
        timeout_minutes: ${{ inputs.timeout_minutes }}
        use_sticky_comment: ${{ inputs.use_sticky_comment }}
        additional_permissions: ${{ inputs.additional_permissions }}
        claude_env: |
          CLAUDE_CODE_ENABLE_TELEMETRY: "0"
        direct_prompt: ${{ inputs.direct_prompt }}

The actual workflow and action have a few more steps, mainly for observability and opt-in/out configurability within workflows, but removing those don't seem to help. The errors we're seeing are:

Requesting OIDC token...
Attempt 1 of 3...
OIDC token successfully obtained
Exchanging OIDC token for app token...
Attempt 1 of 3...
App token exchange failed: 401 Unauthorized - Workflow validation failed. The workflow file must exist and have identical content to the version on the repository's default branch.
Retrying in 5 seconds...
Attempt 1 failed: Workflow validation failed. The workflow file must exist and have identical content to the version on the repository's default branch.
Attempt 2 of 3...
App token exchange failed: 401 Unauthorized - Workflow validation failed. The workflow file must exist and have identical content to the version on the repository's default branch.
Retrying in 10 seconds...
Attempt 2 failed: Workflow validation failed. The workflow file must exist and have identical content to the version on the repository's default branch.
Attempt 3 of 3...
App token exchange failed: 401 Unauthorized - Workflow validation failed. The workflow file must exist and have identical content to the version on the repository's default branch.
Attempt 3 failed: Workflow validation failed. The workflow file must exist and have identical content to the version on the repository's default branch.
Operation failed after 3 attempts
Error: Failed to setup GitHub token: Error: Workflow validation failed. The workflow file must exist and have identical content to the version on the repository's default branch..

If you instead wish to use this action with a custom GitHub token or custom GitHub app, provide a `github_token` in the `uses` section of the app in your workflow yml file.
Error: Process completed with exit code 1.

[kokuyouwind]

This problem seems to be completely resolved in my case, thanks!