chore(deps): bump anthropics/claude-code-action from 1.0.72 to 1.0.77 in the claude-code-action group (#218)

Bumps the claude-code-action group with 1 update:
[anthropics/claude-code-action](https://github.com/anthropics/claude-code-action).

Updates `anthropics/claude-code-action` from 1.0.72 to 1.0.77
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/claude-code-action/releases">anthropics/claude-code-action's
releases</a>.</em></p>
<blockquote>
<h2>v1.0.77</h2>
<h2>Subprocess environment scrubbing for untrusted-input workflows</h2>
<p>Workflows that configure <code>allowed_non_write_users</code> now
automatically get <code>CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1</code>, which
makes Claude Code (v2.1.79+) strip Anthropic and cloud provider
credentials from the environment of subprocesses it spawns (Bash tool,
hooks, MCP stdio servers). The parent Claude process keeps these vars
for its own API calls — only child subprocess environments are
scrubbed.</p>
<p><strong>Why:</strong> Workflows that process untrusted input (issue
triage, PR review from non-write users) are exposed to prompt injection.
A malicious issue body could trick Claude into running a Bash command
that reads <code>$ANTHROPIC_API_KEY</code> via shell expansion and leaks
it through an observable side channel. Scrubbing the subprocess
environment removes the read primitive entirely.</p>
<p><strong>What's scrubbed:</strong> Anthropic auth tokens, cloud
provider credentials, GitHub Actions OIDC and runtime tokens, OTEL auth
headers.</p>
<p><strong>What's kept:</strong> <code>GITHUB_TOKEN</code> /
<code>GH_TOKEN</code> — so wrapper scripts can still call the GitHub
API.</p>
<p><strong>Opt out:</strong> Set <code>CLAUDE_CODE_SUBPROCESS_ENV_SCRUB:
&quot;0&quot;</code> at the job or step level if your workflow
legitimately needs a subprocess to inherit these credentials.</p>
<p><strong>No action required</strong> for most users — if you've
configured <code>allowed_non_write_users</code>, scrubbing is now on
automatically. If your workflow breaks because a subprocess expected
inherited credentials, re-inject them explicitly (e.g., via MCP server
<code>env:</code> config) or use the opt-out.</p>
<h2>What's Changed</h2>
<ul>
<li>Auto-set subprocess env scrub when allowed_non_write_users is
configured by <a
href="https://github.com/OctavianGuzu"><code>@​OctavianGuzu</code></a>
in <a
href="https://redirect.github.com/anthropics/claude-code-action/pull/1093">anthropics/claude-code-action#1093</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/anthropics/claude-code-action/compare/v1.0.76...v1.0.77">https://github.com/anthropics/claude-code-action/compare/v1.0.76...v1.0.77</a></p>
<h2>v1.0.76</h2>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/anthropics/claude-code-action/compare/v1...v1.0.76">https://github.com/anthropics/claude-code-action/compare/v1...v1.0.76</a></p>
<h2>v1.0.75</h2>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/anthropics/claude-code-action/compare/v1...v1.0.75">https://github.com/anthropics/claude-code-action/compare/v1...v1.0.75</a></p>
<h2>v1.0.74</h2>
<h2>What's Changed</h2>
<ul>
<li>Restore .claude/ and .mcp.json from PR base branch before CLI runs
by <a
href="https://github.com/km-anthropic"><code>@​km-anthropic</code></a>
in <a
href="https://redirect.github.com/anthropics/claude-code-action/pull/1066">anthropics/claude-code-action#1066</a></li>
<li>Remove redundant git status/diff/log from tag mode allowlist by <a
href="https://github.com/ddworken"><code>@​ddworken</code></a> in <a
href="https://redirect.github.com/anthropics/claude-code-action/pull/1075">anthropics/claude-code-action#1075</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/anthropics/claude-code-action/compare/v1...v1.0.74">https://github.com/anthropics/claude-code-action/compare/v1...v1.0.74</a></p>
<h2>v1.0.73</h2>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/anthropics/claude-code-action/compare/v1...v1.0.73">https://github.com/anthropics/claude-code-action/compare/v1...v1.0.73</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/anthropics/claude-code-action/commit/ff9acae5886d41a99ed4ec14b7dc147d55834722"><code>ff9acae</code></a>
Auto-set subprocess env scrub when allowed_non_write_users is configured
(<a
href="https://redirect.github.com/anthropics/claude-code-action/issues/1093">#1093</a>)</li>
<li><a
href="https://github.com/anthropics/claude-code-action/commit/6062f3709600659be5e47fcddf2cf76993c235c2"><code>6062f37</code></a>
chore: bump Claude Code to 2.1.81 and Agent SDK to 0.2.81</li>
<li><a
href="https://github.com/anthropics/claude-code-action/commit/df37d2f0760a4b5683a6e617c9325bc1a36443f6"><code>df37d2f</code></a>
chore: bump Claude Code to 2.1.79 and Agent SDK to 0.2.79</li>
<li><a
href="https://github.com/anthropics/claude-code-action/commit/1ba15be4f0b0c9a026c0c7986668f8f2aa998440"><code>1ba15be</code></a>
Remove redundant git status/diff/log from tag mode allowlist (<a
href="https://redirect.github.com/anthropics/claude-code-action/issues/1075">#1075</a>)</li>
<li><a
href="https://github.com/anthropics/claude-code-action/commit/9ddce40de8c1ab71fb6303a125fdad0968dc1312"><code>9ddce40</code></a>
Restore .claude/ and .mcp.json from PR base branch before CLI runs (<a
href="https://redirect.github.com/anthropics/claude-code-action/issues/1066">#1066</a>)</li>
<li><a
href="https://github.com/anthropics/claude-code-action/commit/1b422b3517b51140e4484faab676c5e68b914866"><code>1b422b3</code></a>
chore: bump Claude Code to 2.1.78 and Agent SDK to 0.2.77</li>
<li><a
href="https://github.com/anthropics/claude-code-action/commit/4c044bb2f5a63c31e537d600fd3fcfedc92051c0"><code>4c044bb</code></a>
chore: bump Claude Code to 2.1.77 and Agent SDK to 0.2.77</li>
<li>See full diff in <a
href="https://github.com/anthropics/claude-code-action/compare/cd77b50d2b0808657f8e6774085c8bf54484351c...ff9acae5886d41a99ed4ec14b7dc147d55834722">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=anthropics/claude-code-action&package-manager=github_actions&previous-version=1.0.72&new-version=1.0.77)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Author: dependabot[bot]

.github/workflows/ci-failure-analysis.yml

@@ -36,7 +36,7 @@ jobs:
 
     steps:
       - name: Analyze failure with Claude
-        uses: anthropics/claude-code-action@cd77b50d2b0808657f8e6774085c8bf54484351c # v1.0.72
+        uses: anthropics/claude-code-action@ff9acae5886d41a99ed4ec14b7dc147d55834722 # v1.0.77
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
           prompt: |

.github/workflows/claude-pr-review.yml

@@ -51,7 +51,7 @@ jobs:
         run: npm install -g markdownlint-cli2 prettier
 
       - name: Review PR with Claude
-        uses: anthropics/claude-code-action@cd77b50d2b0808657f8e6774085c8bf54484351c # v1.0.72
+        uses: anthropics/claude-code-action@ff9acae5886d41a99ed4ec14b7dc147d55834722 # v1.0.77
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
           track_progress: true

.github/workflows/claude.yml

@@ -76,7 +76,7 @@ jobs:
 
       - name: Run Claude Code
         id: claude
-        uses: anthropics/claude-code-action@cd77b50d2b0808657f8e6774085c8bf54484351c # v1.0.72
+        uses: anthropics/claude-code-action@ff9acae5886d41a99ed4ec14b7dc147d55834722 # v1.0.77
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
           use_commit_signing: true

.github/workflows/component-validation.yml

@@ -66,7 +66,7 @@ jobs:
 
       - name: Validate plugin components
         if: steps.changed-files.outputs.has_changes == 'true'
-        uses: anthropics/claude-code-action@cd77b50d2b0808657f8e6774085c8bf54484351c # v1.0.72
+        uses: anthropics/claude-code-action@ff9acae5886d41a99ed4ec14b7dc147d55834722 # v1.0.77
         id: validate
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

.github/workflows/semantic-labeler.yml

@@ -39,7 +39,7 @@ jobs:
 
       - name: Label issue with Claude
         id: labeler
-        uses: anthropics/claude-code-action@cd77b50d2b0808657f8e6774085c8bf54484351c # v1.0.72
+        uses: anthropics/claude-code-action@ff9acae5886d41a99ed4ec14b7dc147d55834722 # v1.0.77
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
           prompt: |
@@ -102,7 +102,7 @@ jobs:
 
       - name: Label PR with Claude
         id: labeler
-        uses: anthropics/claude-code-action@cd77b50d2b0808657f8e6774085c8bf54484351c # v1.0.72
+        uses: anthropics/claude-code-action@ff9acae5886d41a99ed4ec14b7dc147d55834722 # v1.0.77
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
           prompt: |

.github/workflows/version-check.yml

@@ -31,7 +31,7 @@ jobs:
           fetch-depth: 1
 
       - name: Check version consistency
-        uses: anthropics/claude-code-action@cd77b50d2b0808657f8e6774085c8bf54484351c # v1.0.72
+        uses: anthropics/claude-code-action@ff9acae5886d41a99ed4ec14b7dc147d55834722 # v1.0.77
         id: version-check
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}