RepoJournal
Anthropic

@anthropics

Claude SDKs and developer tooling

Pick a date

  1. Fri 1 may
  2. Sat 2 may
  3. Sun 3 may
  4. Mon 4 may
  5. Tue 5 may
  6. Wed 6 may
  7. Thu 7 may
  8. Fri 8 may
  9. Sat 9 may
  10. Sun 10 may
  11. Tue 12 may
  12. Wed 13 may
  13. Thu 14 may
  14. Sat 16 may
  15. Sun 17 may
  16. Tue 19 may
  17. Wed 20 may
  18. Thu 21 may
  19. Sat 23 may
  20. Mon 25 may
  21. Tue 26 may
  22. Thu 28 may
  23. Fri 29 may
  24. Sat 30 may
  25. Sun 31 may
  26. Mon 1 jun
  27. Mon 8 jun
  28. Tue 9 jun
  29. Today 10 jun

The Wire · Showcase

WORKLOAD IDENTITY FEDERATION ROLLS OUT ACROSS PLUGIN ECOSYSTEM

By RepoJournal · Filed · About Anthropic

Static API keys are getting ripped out of GitHub Actions across the plugin suite as Anthropic moves the entire CI/CD auth layer to short-lived tokens.

The migration is orchestrated in three layers: anthropics/claude-plugins-community shipped the core federation inputs [1] that let the scan-plugins action mint GitHub OIDC tokens and exchange them for short-lived bearers without touching a static key. Two dependent repos followed immediately. anthropics/knowledge-work-plugins [2] and anthropics/claude-plugins-official [3] both migrated their scan-plugins workflows to use WIF instead of ANTHROPIC_API_KEY repo secrets, now pinned to the community action's pending merge. anthropics/claude-cookbooks went wider [4], converting all 6 claude-code-action workflows (link-review, model-check, pr-review, lint-format, notebook-quality, notebook-tests) to the same federation pattern in a single commit. All repos now grant id-token: write permissions to their jobs. The federation rule stays pinned to each repository, so leaked tokens are worthless without context. This is the right pattern: no more long-lived keys in GitHub settings, no more audit nightmares when someone has to rotate. On the Rust side, anthropics/buffa landed idiomatic UpperCamelCase enum aliases [5] that let developers write RuleLevel::High instead of RuleLevel::RULE_LEVEL_HIGH while keeping proto names as definitive variants. Small quality-of-life win for generated code.

Action items

References

  1. [1] scan-plugins: add Workload Identity Federation auth inputs ↗ anthropics/claude-plugins-community
  2. [2] ci: migrate scan-plugins.yml to Workload Identity Federation auth (#248) anthropics/knowledge-work-plugins
  3. [3] ci: migrate scan-plugins.yml to Workload Identity Federation auth (#1991) anthropics/claude-plugins-official
  4. [4] ci: migrate claude-code-action workflows to Workload Identity Federation ↗ anthropics/claude-cookbooks
  5. [5] codegen: idiomatic UpperCamelCase enum aliases ↗ anthropics/buffa

FAQ

What changed in Anthropic on May 25, 2026?
Static API keys are getting ripped out of GitHub Actions across the plugin suite as Anthropic moves the entire CI/CD auth layer to short-lived tokens.
What should Anthropic teams do about it?
Merge anthropics/claude-plugins-community#34 to unblock dependent repos • Repin knowledge-work-plugins and claude-plugins-official PRs to main SHA once #34 merges • Review federation rule bindings across all six cookbooks workflows before merge
Which Anthropic repositories shipped on May 25, 2026?
anthropics/claude-plugins-community, anthropics/knowledge-work-plugins, anthropics/claude-plugins-official, anthropics/claude-cookbooks, anthropics/buffa

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.