Agent SDK breaks PR creation in external repositories (regression since v1.0.24)

[gilad-clover]

Starting with v1.0.24 (when Agent SDK became the default), Claude can no longer create PRs in external repositories when using a GitHub App token via GH_TOKEN. It successfully pushes branches but fails with "repository access limitations" when attempting to create the PR.

Environment

• Working version: v1.0.21 (Claude Code 2.0.50, no Agent SDK)
• Broken versions: v1.0.24+ (Claude Code 2.0.74, with Agent SDK)
• Workflow: Cross-repository automation (main repo → external repo)
• Authentication: GitHub App token passed via GH_TOKEN environment variable

Steps to Reproduce

1. Set up workflow with GitHub App authentication:

• name: Generate GitHub App Token
  uses: actions/create-github-app-token@v1
  id: app-token
  with:
  app-id: ${{ secrets.APP_ID }}
  private-key: ${{ secrets.APP_PRIVATE_KEY }}
  owner: ${{ github.repository_owner }}

• name: Clone external repository
  run: |
  git clone https://x-access-token:${{ steps.app-token.outputs.token }}@github.com/org/external-repo.git /tmp/external-repo

• name: Run Claude
  uses: anthropics/claude-code-action@v1
  env:
  GH_TOKEN: ${{ steps.app-token.outputs.token }}

2. Have Claude create a PR in the external repository:
   cd /tmp/external-repo
   gh pr create --title "..." --body "..."

Expected Behavior (v1.0.21)

• Claude pushes branch to external repo ✅
• Claude creates PR in external repo ✅
• Workflow completes successfully ✅

Actual Behavior (v1.0.24+)

• Claude pushes branch to external repo ✅
• Claude fails to create PR with "repository access limitations" ❌
• Claude reports: "unable to create a PR due to repository access limitations"

Root Cause Analysis

The Agent SDK execution path (introduced in v1.0.24) doesn't properly use the GH_TOKEN environment variable when executing gh pr create commands. The gh CLI falls back to the wrong token (OIDC token for the main repo instead of the App token for external repo).

Key difference in logs:

v1.0.21 (Working):
149 packages installed

No @anthropic-ai/claude-agent-sdk

v1.0.24+ (Broken):
154 packages installed

• @anthropic-ai/claude-agent-sdk@0.1.74
  Using Agent SDK path (USE_AGENT_SDK=unset)

Timeline

• November 24, 2025: Working with v1.0.21
• ~December 11, 2025: Started failing
• December 25, 2025: Confirmed broken with v1.0.24+

Workaround

Pin to v1.0.21:
uses: anthropics/claude-code-action@v1.0.21

Why This Is Urgent

Users must choose between:

1. ❌ Stay on v1.0.21 → missing security fix from v1.0.24 (command injection vulnerability)
2. ❌ Upgrade to v1.0.24+ → lose cross-repository PR creation

The security fix makes this a critical regression that blocks users from getting important patches.

Verification

GitHub App has all required permissions:

• ✅ Contents: Read and write
• ✅ Pull requests: Read and write
• ✅ Issues: Read and write

Token works for:

• ✅ Cloning external repository
• ✅ Pushing branches to external repository
• ❌ Creating PRs in external repository (only fails with Agent SDK)

Additional Context

The gh CLI uses GH_TOKEN with precedence over GITHUB_TOKEN (confirmed in https://cli.github.com/manual/gh_help_environment). The workflow correctly sets GH_TOKEN, but the Agent SDK execution path appears to not propagate this environment variable correctly to the subprocess running gh pr create.

Suggested Fix

Ensure the Agent SDK execution path:

1. Properly inherits environment variables (especially GH_TOKEN)
2. Passes them to subprocess executions (like gh commands)
3. Uses the same environment variable handling as the pre-Agent SDK code path