An April 2026 CVSS 9.4 vulnerability demonstrated that crafted PR titles can prompt-inject Claude Code agents running in GitHub Actions and cause them to exfiltrate ANTHROPIC_API_KEY values to attacker-controlled endpoints. The fix is a five-control stack: tool scope allowlists, read-only GITHUB_TOKEN permissions, OIDC secret routing, actor filtering, and script loop caps. Most pipelines have none of these in place. TL;DR A researcher's crafted PR title — containing injected instructions — caused Claude Code, Gemini CLI, and GitHub Copilot Agent to leak API credentials through their CI/CD pipelines. The attack required no authentication and no repo access beyond opening a PR. This guide gives you the copy-paste configuration to close every gap: a scoped --allowedTools flag, a read-only GITHUB_TOKEN , short-lived OIDC credentials instead of long-lived secrets, an actor filter that gates fork PRs, and a --max-turns cap to stop loop injection attacks. Apply all five — none of them is optional.…