Intermittent `validateHeaders` failure with Max-plan OAuth tokens after Pro→Max upgrade

[cmatthews3]

Describe the bug

After upgrading my Claude.ai subscription from Pro to Max, the claude-code-action@v1 consistently fails with Could not resolve authentication credentials from the Anthropic SDK's validateHeaders check, despite the OAuth token being passed correctly. The action receives the token (claude_code_oauth_token: *** visible in logs), OIDC exchange succeeds, GitHub App token is obtained, but the Claude Code subprocess fails immediately at SDK init with both apiKey and authToken null.

This appears to match the symptoms reported in #1126 ("oauthTokenFromFd:void 0, apiKeyFromFd:void 0") but specifically triggered by a Pro→Max plan upgrade rather than version regressions.

Behavior

• Pre-Pro→Max upgrade: action worked reliably across many runs
• Immediately post-upgrade: all runs fail with the same validateHeaders error
• One run worked mid-debugging (issue feat: Support Triggering Claude on Issue Labeled #186 in our repo) — but the very next issue failed again with no config change, suggesting an intermittent/transient component
• Token format confirmed correct: sk-ant-oat01-... from claude setup-token

Reproduction

1. Have a Claude.ai Max subscription (recently upgraded from Pro)
2. Generate a long-lived OAuth token: claude setup-token
3. Add as CLAUDE_CODE_OAUTH_TOKEN GitHub secret
4. Trigger via @claude comment on an issue
5. Action fails with SDK execution error: Error: Claude Code process exited with code 1 and Could not resolve authentication credentials

What I've tried

• ✅ Regenerated token multiple times via claude setup-token (always sk-ant-oat01- prefix)
• ✅ Verified no whitespace in pasted secret value
• ✅ Confirmed claude auth status shows correct Max subscription locally
• ✅ Re-authorized the Claude Code GitHub App for the new Max org
• ✅ Tried token via with: only (per CLAUDE_CODE_OAUTH_TOKEN is cleared between prepare and execute phases, causing authentication failure #676 advice)
• ✅ Tried token via both with: and env: block as workaround
• ✅ Pre-wrote ~/.claude/.credentials.json with token before action runs
• ✅ Confirmed action version is current (@v1 → v1.0.111, SDK 0.2.126, CLI 2.1.126)

Workflow config

- uses: anthropics/claude-code-action@v1
  with:
    claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
    show_full_output: true
    additional_permissions: |
      actions: read
    claude_args: '--allowed-tools "Bash(gh issue:*),Bash(gh label:*),Bash(gh pr:*)" --auto-compact'

Error excerpt

OIDC token successfully obtained
App token successfully obtained
Using GITHUB_TOKEN from OIDC
Successfully fetched issue #162 data
Source branch SHA: ...
... (prompt assembled, branch created) ...
Installing Claude Code v2.1.126...
✔ Claude Code successfully installed!
SDK execution error: 54 | new Anthropic({ apiKey, dangerouslyAllowBrowser: true });
... validateHeaders ... throw Error('Could not resolve authentication credentials')
##[error]Action failed with error: SDK execution error: Error: Claude Code process exited with code 1

The apiKey and authToken are both null inside the new Anthropic({ apiKey, dangerouslyAllowBrowser: true }) call, despite CLAUDE_CODE_OAUTH_TOKEN being set in the env (visible in the action's input dump).

Environment

• Runner: GitHub-hosted ubuntu-24.04
• Action: anthropics/claude-code-action@v1 (SHA fefa07e9c665b7320f08c3b525980457f22f58aa)
• Agent SDK: @anthropic-ai/claude-agent-sdk@0.2.126
• Claude Code CLI: 2.1.126
• Bun: 1.3.6
• Trigger mode: tag (issue_comment with @claude)
• Subscription: Claude.ai Max (upgraded from Pro on 2026-05-03)

Related issues

• v1.0.79: SDK crashes with dangerouslyAllowBrowser error on self-hosted runners #1126 — dangerouslyAllowBrowser / validateHeaders crash (matches our error pattern exactly)
• CLAUDE_CODE_OAUTH_TOKEN is cleared between prepare and execute phases, causing authentication failure #676 — CLAUDE_CODE_OAUTH_TOKEN cleared between phases
• Bedrock validateHeaders error in tag mode (issue_comment + @claude), agent mode works fine #1201 — validateHeaders in tag mode but not agent mode

Why this seems plan-related

The exact same workflow file and secret value worked reliably for weeks pre-upgrade. After upgrading Pro→Max, the token gets reissued under a new organization context (claude auth status shows new orgId), and the action can no longer propagate it to the Claude Code subprocess. Only ANTHROPIC_API_KEY works as a workaround, but that defeats the purpose of OAuth for subscription users.

Happy to provide additional logs or try debug builds.