Action fails with "Not Found" when triggered by GitHub Copilot (actor Copilot returns 404 from/users/ API)

[PL-Workleap]

Describe the bug
checkHumanActor crashes with 404 for GitHub Copilot actor, preventing allowed_bots from taking effect.

When a workflow is triggered by the GitHub Copilot SWE agent (Copilot), the action crashes with a Not Found error during the human actor check. GitHub sets GITHUB_ACTOR to Copilot (no [bot] suffix) for Copilot SWE agent-triggered events. The checkHumanActor function in src/github/validation/actor.ts passes this value directly to GET /users/{username}, but GET /users/Copilot returns 404 — there is no resolvable GitHub user under that login.

Critically, this crash happens before the allowed_bots logic is ever consulted, so setting allowed_bots: '*' has no effect. The allowed_non_write_users bypass introduced for this actor works correctly for the checkWritePermissions step, but a separate GET /users/Copilot call in checkHumanActor still crashes the action immediately after.

Note: GET /users/Copilot[bot] does return a valid Bot response, but that identity belongs to the regular GitHub Copilot app (github.com/apps/copilot), not the SWE agent (github.com/apps/copilot-swe-agent). Appending [bot] would resolve to a different app entirely, so this is not the right fix path.

This is a GitHub inconsistency: other bots like dependabot[bot] and github-actions[bot] include the [bot] suffix in GITHUB_ACTOR, but the Copilot SWE agent does not. Since GITHUB_ACTOR is a GitHub-managed environment variable, users cannot override it.

To Reproduce
Steps to reproduce the behavior:

1. Set up a workflow that uses claude-code-action in agent mode (with a prompt input)
2. Configure the workflow to trigger on pull_request events
3. Have a human invoke the GitHub Copilot SWE agent on an existing pull request (e.g. by assigning it or requesting a fix), causing it to push a commit — this fires a synchronize event with GITHUB_ACTOR=Copilot
4. Observe the action run triggered by Copilot

Log
Output from a failing run:

Auto-detected mode: agent for event: pull_request
Using provided GITHUB_TOKEN for authentication
Checking permissions for actor: Copilot
Warning: ⚠️ SECURITY WARNING: Bypassing write permission check for Copilot due to allowed_non_write_users configuration.
Mode: agent
Trigger result: true
Preparing with mode: agent for event: pull_request
GET /users/Copilot - 404 in 193ms
Error: Action failed with error: Not Found - https://docs.github.com/rest
Error: Process completed with exit code 1.

Expected behavior
When allowed_bots: '*' (or allowed_bots: 'Copilot') is configured, the action should recognize Copilot as a bot actor and proceed through the allowed_bots check without crashing. Currently, the allowed_bots logic is unreachable because the action throws before getting there.

Workflow yml file

- uses: anthropics/claude-code-action@v1
  with:
    allowed_bots: '*'
    allowed_non_write_users: 'Copilot'
    # ... other inputs

API Provider

[x] Anthropic First-Party API (default)
[ ] AWS Bedrock
[ ] GCP Vertex

Additional context

• anthropics/claude-code-action@v1
• Actor: Copilot (GitHub Copilot SWE agent — https://github.com/apps/copilot-swe-agent)
• Event: pull_request / synchronize
• GET /users/Copilot → 404 (verified via gh api /users/Copilot)
• GET /users/Copilot[bot] → 200, type: Bot, but maps to github.com/apps/copilot (different app)
• GET /users/copilot-swe-agent[bot] → 200, type: Bot, maps to github.com/apps/copilot-swe-agent (correct app, but not the value GitHub sets in GITHUB_ACTOR)