Describe the bug
When using use_bedrock: "true" with AWS static keys, tag mode (triggered by @claude mention in issue_comment) consistently fails with a validateHeaders error, while agent mode (triggered by prompt input on issues event) succeeds with the exact same action version, SDK version, and configuration.
The error is thrown from the Agent SDK's sdk.mjs — the base Anthropic() client's validateHeaders requires x-api-key or authorization header, but Bedrock uses AWS SigV4 which provides neither.
Root cause analysis
The SDK uses different code paths for tag mode vs agent mode:
- Agent mode:
write(string) — direct prompt write → works
- Tag mode:
streamInput(AsyncIterable) → for await loop → readMessages() with exitError check → throws immediately when CLI exits with auth error
We believe both modes hit a Bedrock auth issue in the CLI subprocess, but agent mode handles/recovers from it differently, while tag mode's exitError check (added in SDK 0.2.92) causes an immediate crash.
Evidence
Timeline (2026-04-09, same workflow, same v1.0.89 + SDK 0.2.92)
| Time (UTC) |
Job |
Mode |
Result |
| 04:56 |
claude-issue-command |
tag |
✅ success |
| 07:41 |
claude-issue-command |
tag |
✅ success |
| 09:07 |
claude-issue-command |
tag |
✅ success |
| 10:08 |
claude-issue-command |
tag |
❌ failure |
| 10:54 |
claude-issue-command |
tag |
❌ failure |
| 12:08 |
claude-issue-command |
tag (v1.0.91) |
❌ failure |
| 12:12 |
claude-issue-command |
tag (v1.0.91) |
❌ failure |
| 12:45 |
claude-issue-command |
tag (v1.0.91) |
❌ failure |
Agent mode control test (same settings, same v1.0.91)
We created a test job with identical configuration to claude-issue-command (same --allowedTools, REPO_ACCESS_TOKEN env, contents: write permissions, repos/ cache) but triggered via issues event with prompt input (agent mode):
| Time (UTC) |
Job |
Mode |
Result |
| 12:52 |
auto-draft-on-open |
agent (v1.0.91) |
✅ success |
| 13:13 |
test-bedrock-agent-mode |
agent (v1.0.91) |
✅ success |
Same action version, same SDK, same AWS credentials, same settings — only the mode differs.
Ruled out
- ❌ CLI auto-update: CLI version is hardcoded (
2.1.92 in v1.0.89, 2.1.97 in v1.0.91)
- ❌ Runner image change: both runs used
ubuntu24/20260329.72, runner 2.333.1
- ❌ npm registry update: no new
@anthropic-ai/sdk or claude-agent-sdk published in the critical window
- ❌ Workflow config difference: SDK options dump is identical between success and failure runs
Error log
Failure occurs ~2 seconds after SDK options are printed (before CLI init):
SDK execution error: 53 | new Anthropic({ apiKey, dangerouslyAllowBrowser: true });
54 | ... validateHeaders({values:$,nulls:X}){
if($.get("x-api-key")||$.get("authorization"))return;
...
throw Error('Could not resolve authentication')
}
##[error]Action failed with error: SDK execution error: Error: Claude Code process exited with code 1
at J (.../node_modules/@anthropic-ai/claude-agent-sdk/sdk.mjs:58:10059)
To Reproduce
- Configure workflow with
use_bedrock: "true" and AWS static keys
- Trigger via
issue_comment event containing @claude (tag mode)
- Observe
validateHeaders error within seconds of startup
Expected behavior
Tag mode should work with Bedrock auth, same as agent mode.
Workflow yml file
- name: Run Claude Code
uses: anthropics/claude-code-action@v1.0.91
env:
REPO_ACCESS_TOKEN: ${{ secrets.REPO_ACCESS_TOKEN }}
with:
use_bedrock: "true"
claude_args: '--model us.anthropic.claude-sonnet-4-6 --allowedTools "Bash(git *),Bash(gh *)"'
show_full_output: "true"
track_progress: "true"
prompt: |
...API Provider
Additional context
Describe the bug
When using
use_bedrock: "true"with AWS static keys, tag mode (triggered by@claudemention inissue_comment) consistently fails with avalidateHeaderserror, while agent mode (triggered bypromptinput onissuesevent) succeeds with the exact same action version, SDK version, and configuration.The error is thrown from the Agent SDK's
sdk.mjs— the baseAnthropic()client'svalidateHeadersrequiresx-api-keyorauthorizationheader, but Bedrock uses AWS SigV4 which provides neither.Root cause analysis
The SDK uses different code paths for tag mode vs agent mode:
write(string)— direct prompt write → worksstreamInput(AsyncIterable)→for awaitloop →readMessages()withexitErrorcheck → throws immediately when CLI exits with auth errorWe believe both modes hit a Bedrock auth issue in the CLI subprocess, but agent mode handles/recovers from it differently, while tag mode's
exitErrorcheck (added in SDK 0.2.92) causes an immediate crash.Evidence
Timeline (2026-04-09, same workflow, same v1.0.89 + SDK 0.2.92)
Agent mode control test (same settings, same v1.0.91)
We created a test job with identical configuration to
claude-issue-command(same--allowedTools,REPO_ACCESS_TOKENenv,contents: writepermissions,repos/cache) but triggered viaissuesevent withpromptinput (agent mode):Same action version, same SDK, same AWS credentials, same settings — only the mode differs.
Ruled out
2.1.92in v1.0.89,2.1.97in v1.0.91)ubuntu24/20260329.72, runner2.333.1@anthropic-ai/sdkorclaude-agent-sdkpublished in the critical windowError log
Failure occurs ~2 seconds after SDK options are printed (before CLI
init):To Reproduce
use_bedrock: "true"and AWS static keysissue_commentevent containing@claude(tag mode)validateHeaderserror within seconds of startupExpected behavior
Tag mode should work with Bedrock auth, same as agent mode.
Workflow yml file
API Provider
Additional context