For enterprise environments, you can use Claude Code GitHub Actions with your own cloud infrastructure. This approach gives you control over data residency and billing while maintaining the same functionality. 对于企业环境,你可以使用 Claude Code GitHub Actions 与你自己的云基础设施一起使用。这种方法让你能够控制数据驻留和计费,同时保持相同的功能。
一,Prerequisites 前提条件
Before setting up Claude Code GitHub Actions with cloud providers, you need: 在使用云服务提供商设置 Claude Code GitHub Actions 之前,你需要:
1.1,For Google Cloud Vertex AI: 对于 Google Cloud Vertex AI:
A Google Cloud Project with Vertex AI enabled 一个已启用 Vertex AI 的 Google Cloud 项目
Workload Identity Federation configured for GitHub Actions 为 GitHub Actions 配置的工作负载身份联合
A service account with the required permissions 具有所需权限的账户
A GitHub App (recommended) or use the default GITHUB_TOKEN GitHub 应用(推荐)或使用默认的 GITHUB_TOKEN
1.2,For AWS Bedrock: 对于 AWS Bedrock:
An AWS account with Amazon Bedrock enabled 一个已启用 Amazon Bedrock 的 AWS 账户
GitHub OIDC Identity Provider configured in AWS 在 AWS 中配置的 GitHub OIDC 身份提供者
An IAM role with Bedrock permissions 一个具有 Bedrock 权限的 IAM 角色
A GitHub App (recommended) or use the default GITHUB_TOKEN 一个 GitHub 应用(推荐)或使用默认的 GITHUB_TOKEN
二, Create a custom GitHub App (Recommended for 3P Providers) 创建自定义 GitHub 应用(推荐给第三方提供者)
For best control and security when using 3P providers like Vertex AI or Bedrock, we recommend creating your own GitHub App: 在使用 Vertex AI 或 Bedrock 等第三方提供者时,为了获得最佳控制和安全性,建议创建自己的 GitHub 应用:
2.1 Go to github.com/settings/ap… 访问 github.com/settings/ap…
2.2 Fill in the basic information: 填写基本信息: GitHub App name: Choose a unique name (e.g., “YourOrg Claude Assistant”) GitHub 应用名称:选择一个唯一名称(例如,“YourOrg Claude 助手”)
Homepage URL: Your organization’s website or the repository URL 主页 URL:你的组织网站或存储库 URL
2.3 Configure the app settings: 配置应用设置: Webhooks: Uncheck “Active” (not needed for this integration) Webhooks:取消勾选“激活”(此集成不需要)
2.4 Set the required permissions: 设置所需权限: Repository permissions: 仓库权限: Contents: Read & Write 内容:读取与写入
Issues: Read & Write 问题:读取与写入
Pull requests: Read & Write 拉取请求:读取与写入
2.5 Click “Create GitHub App” 点击“创建 GitHub 应用”
2.6 After creation, click “Generate a private key” and save the downloaded .pem file 创建后,点击“生成一个私钥”并保存下载的 .pem 文件
2.7 Note your App ID from the app settings page 从应用设置页面记下你的应用 ID
2.8 Install the app to your repository: 将应用安装到你的仓库: From your app’s settings page, click “Install App” in the left sidebar 在你的应用设置页面,点击左侧边栏中的“安装应用”
Select your account or organization 选择你的账户或组织
Choose “Only select repositories” and select the specific repository 选择“仅选择特定仓库”,并选择具体的仓库
Click “Install” 点击“安装”
2.9 Add the private key as a secret to your repository: 将私钥作为密钥添加到你的仓库: Go to your repository’s Settings → Secrets and variables → Actions 进入你的仓库设置 → 密钥和变量 → 操作
Create a new secret named APP_PRIVATE_KEY with the contents of the .pem file 创建一个名为 APP_PRIVATE_KEY 的新密钥,内容为 .pem 文件的内容
2.10 Add the App ID as a secret: 将 App ID 也作为密钥:
Create a new secret named APP_ID with your GitHub App’s ID 创建一个名为 APP_ID 的新密钥,填上你的 GitHub 应用的 ID
This app will be used with the actions/create-github-app-token action to generate authentication tokens in your workflows. 该应用将用于与 actions/create-github-app-token 操作一起生成工作流中的认证令牌。
其它: Alternative for Claude API or if you don’t want to setup your own Github app: Use the official Anthropic app: Claude API 的替代方案或如果你不想设置自己的 GitHub 应用:使用官方的 Anthropic 应用:
Install from: github.com/apps/claude 从 github.com/apps/claude 安装
No additional configuration needed for authentication 无需额外配置身份验证
三,Configure cloud provider authentication 配置云服务提供商身份验证
Choose your cloud provider and set up secure authentication: 选择你的云服务提供商并设置安全身份验证:
3.1 对于AWS Bedrock
Configure AWS to allow GitHub Actions to authenticate securely without storing credentials. 配置 AWS 以允许 GitHub Actions 安全地进行身份验证,而无需存储凭证。
Required Setup: 所需设置: 3.1.1 Enable Amazon Bedrock: 启用 Amazon Bedrock: Request access to Claude models in Amazon Bedrock 申请访问 Amazon Bedrock 中的 Claude 模型
For cross-region models, request access in all required regions 对于跨区域模型,请在所有需要的区域中申请访问权限
3.1.2 Set up GitHub OIDC Identity Provider: 设置 GitHub OIDC 身份提供者: Provider URL: token.actions.githubusercontent.com 提供者 URL Audience: sts.amazonaws.com 受众
3.1.3 Create IAM Role for GitHub Actions: 为 GitHub Actions 创建 IAM 角色:
Trusted entity type: Web identity 受信任的实体类型: Web 身份
Identity provider: token.actions.githubusercontent.com 身份提供者
Permissions: AmazonBedrockFullAccess policy
权限: AmazonBedrockFullAccess 策略
Configure trust policy for your specific repository 为你的特定存储库配置信任策略
Required Values: 必需值: After setup, you’ll need: 设置完成后,你需要: AWS_ROLE_TO_ASSUME: The ARN of the IAM role you created AWS_ROLE_TO_ASSUME:你创建的 IAM 角色的 ARN
OIDC is more secure than using static AWS access keys because credentials are temporary and automatically rotated. 使用 OIDC 比使用静态 AWS 访问密钥 更安全,因为凭证是临时的,并且会自动轮换。
3.2 对于Google Vertex AI Configure Google Cloud to allow GitHub Actions to authenticate securely without storing credentials. 配置 Google Cloud 以允许 GitHub Actions 安全地进行身份验证,而无需存储凭证。
Required Setup: 所需设置: 3.2.1 Enable APIs in your Google Cloud project: 在你的 Google Cloud 项目中启用 API:
IAM Credentials API
IAM 凭据 API
Security Token Service (STS) API 安全令牌服务 (STS) API
Vertex AI API
3.2.2 Create Workload Identity Federation resources: 创建工作负载身份联合资源:
Create a Workload Identity Pool 创建一个工作负载身份池
Add a GitHub OIDC provider with: 添加一个 GitHub OIDC 提供商,包括:
Issuer: token.actions.githubusercontent.com
Attribute mappings for repository and owner 仓库和所有者的属性映射
Security recommendation: Use repository-specific attribute conditions 安全建议:使用仓库特定的属性条件
3.2.3 Create a Service Account: 创建服务账户:
Grant only Vertex AI User role
仅授予 Vertex AI User 角色
Security recommendation: Create a dedicated service account per repository 安全建议:为每个仓库创建专用服务账户
3.2.4 Configure IAM bindings: 配置 IAM 绑定: Allow the Workload Identity Pool to impersonate the service account 允许工作负载身份池模拟服务账户
Security recommendation: Use repository-specific principal sets 安全建议:使用仓库特定的主体集
Required Values: 必需值: After setup, you’ll need: 设置完成后,你需要:
GCP_WORKLOAD_IDENTITY_PROVIDER: The full provider resource name 完整提供者资源名称
GCP_SERVICE_ACCOUNT: The service account email address 服务账户电子邮件地址
Workload Identity Federation eliminates the need for downloadable service account keys, improving security. 工作负载身份联合消除了对可下载的服务账户密钥的需求,从而提高了安全性。
四,Add Required Secrets 添加所需密钥
Add the following secrets to your repository (Settings → Secrets and variables → Actions): 将以下密钥添加到你的仓库(设置→密钥和变量→操作):
4.1 For Claude API (Direct): 对于 Claude API(直接):
4.1.1 For API Authentication: 对于 API 认证: ANTHROPIC_API_KEY: Your Claude API key from console.anthropic.com ANTHROPIC_API_KEY : 从 console.anthropic.com 获取的你的 Claude API 密钥
4.1.2 For GitHub App (if using your own app): 对于 GitHub 应用(如果你使用自己的应用):
APP_ID: Your GitHub App’s ID APP_ID : 你的 GitHub 应用的 ID
APP_PRIVATE_KEY: The private key (.pem) content APP_PRIVATE_KEY : 私有密钥 (.pem) 内容
4.2 For Google Cloud Vertex AI 用于 Google Cloud Vertex AI
4.2.1 For GCP Authentication: GCP 身份验证: GCP_WORKLOAD_IDENTITY_PROVIDER GCP_SERVICE_ACCOUNT
4.2.2 For GitHub App (if using your own app): 对于 GitHub 应用(如果使用你自己的应用):
APP_ID: Your GitHub App’s ID APP_ID : 你的 GitHub 应用的 ID
APP_PRIVATE_KEY: The private key (.pem) content APP_PRIVATE_KEY : 私有密钥 (.pem) 内容
4.3 For AWS Bedrock 对于 AWS Bedrock 4.3.1 For AWS Authentication: 对于 AWS 身份验证: AWS_ROLE_TO_ASSUME
4.3.2 For GitHub App (if using your own app): 对于 GitHub 应用(如果使用你自己的应用):
APP_ID: Your GitHub App’s ID APP_ID : 你的 GitHub 应用的 ID
APP_PRIVATE_KEY: The private key (.pem) content APP_PRIVATE_KEY : 私有密钥 (.pem) 内容
五,Create workflow files 创建工作流文件 Create GitHub Actions workflow files that integrate with your cloud provider. The examples below show complete configurations for both AWS Bedrock and Google Vertex AI: 创建与你的云服务提供商集成的 GitHub Actions 工作流文件。以下示例展示了 AWS Bedrock 和 Google Vertex AI 的完整配置:
5.1 AWS Bedrock workflow
AWS Bedrock 工作流
5.1.1 Prerequisites: 先决条件: AWS Bedrock access enabled with Claude model permissions AWS Bedrock 通过 Claude 模型权限启用
GitHub configured as an OIDC identity provider in AWS GitHub 在 AWS 中配置为 OIDC 身份提供者
IAM role with Bedrock permissions that trusts GitHub Actions 具有 Bedrock 权限并信任 GitHub Actions 的 IAM 角色
5.1.2 Required GitHub secrets: 所需的 GitHub 密钥
有以下3种 Secret Name 密钥名称 1,AWS_ROLE_TO_ASSUME ARN of the IAM role for Bedrock access 用于 Bedrock 访问的 IAM 角色的 ARN
2,APP_ID Your GitHub App ID (from app settings) 你的 GitHub App ID(来自应用设置)
3.APP_PRIVATE_KEY The private key you generated for your GitHub App 你为 GitHub App 生成的私钥
name: Claude PR Action
permissions:
contents: write
pull-requests: write
issues: write
id-token: write
on:
issue_comment:
types: [created]
pull_request_review_comment:
types: [created]
issues:
types: [opened, assigned]
jobs:
claude-pr:
if: |
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'issues' && contains(github.event.issue.body, '@claude'))
runs-on: ubuntu-latest
env:
AWS_REGION: us-west-2
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@v2
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
- name: Configure AWS Credentials (OIDC)
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
aws-region: us-west-2
- uses: anthropics/claude-code-action@v1
with:
github_token: ${{ steps.app-token.outputs.token }}
use_bedrock: "true"
claude_args: '--model us.anthropic.claude-sonnet-4-5-20250929-v1:0 --max-turns 10'
The model ID format for Bedrock includes the region prefix (e.g., us.anthropic.claude...) and version suffix. Bedrock 的模型 ID 格式包括区域前缀(例如, us.anthropic.claude... )和版本后缀。
5.2 Google Vertex AI workflow Google Vertex AI 工作流
5.2.1 Prerequisites: 前提条件:
Vertex AI API enabled in your GCP project 在你的 GCP 项目中已启用 Vertex AI API
Workload Identity Federation configured for GitHub 为 GitHub 配置了工作负载身份联合
Service account with Vertex AI permissions 具有 Vertex AI 权限的服务账户
5.2.2 Required GitHub secrets: 所需的 GitHub 密钥: 有以下4种Secret Name 密钥名称 GCP_WORKLOAD_IDENTITY_PROVIDER: Workload identity provider resource name 工作负载身份提供者资源名称
GCP_SERVICE_ACCOUNT Service account email with Vertex AI access 具有 Vertex AI 访问权限的服务账户邮箱
APP_ID Your GitHub App ID (from app settings) 你的 GitHub App ID(来自应用设置)
APP_PRIVATE_KEY The private key you generated for your GitHub App 你为 GitHub App 生成的私钥
name: Claude PR Action
permissions:
contents: write
pull-requests: write
issues: write
id-token: write
on:
issue_comment:
types: [created]
pull_request_review_comment:
types: [created]
issues:
types: [opened, assigned]
jobs:
claude-pr:
if: |
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'issues' && contains(github.event.issue.body, '@claude'))
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@v2
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
- uses: anthropics/claude-code-action@v1
with:
github_token: ${{ steps.app-token.outputs.token }}
trigger_phrase: "@claude"
use_vertex: "true"
claude_args: '--model claude-sonnet-4@20250514 --max-turns 10'
env:
ANTHROPIC_VERTEX_PROJECT_ID: ${{ steps.auth.outputs.project_id }}
CLOUD_ML_REGION: us-east5
VERTEX_REGION_CLAUDE_3_7_SONNET: us-east5
The project ID is automatically retrieved from the Google Cloud authentication step, so you don’t need to hardcode it. 项目 ID 会自动从 Google Cloud 认证步骤中获取,因此无需硬编码。
