feat(provider): Add Pi provider support across runtime and action

Thread provider selection through config, CLI, SDK, and GitHub Action flows so runs can target Claude or Pi consistently with provider-aware auth and telemetry.\n\nAdd provider-specific tool policy defaults for the core loop (including Pi write/shell tools), update output metadata, and expand regression coverage for provider behavior and wiring.

Co-Authored-By: GPT-5 Codex <noreply@anthropic.com>

Author: dcramer

action.yml

@@ -7,6 +7,9 @@ branding:
   color: 'purple'
 
 inputs:
+  provider:
+    description: 'Provider to use (claude or pi). Overrides WARDEN_PROVIDER when set.'
+    required: false
   anthropic-api-key:
     description: 'Anthropic API key (sk-ant-...) or OAuth token. Can also be set via ANTHROPIC_API_KEY or CLAUDE_CODE_OAUTH_TOKEN env vars.'
     required: false
@@ -61,6 +64,7 @@ runs:
   using: 'composite'
   steps:
     - name: Install Claude Code CLI
+      if: ${{ inputs.provider != 'pi' && env.WARDEN_PROVIDER != 'pi' }}
       shell: bash
       run: |
         CLAUDE_CODE_VERSION="2.1.32"
@@ -84,6 +88,7 @@ runs:
       id: warden
       shell: bash
       env:
+        INPUT_PROVIDER: ${{ inputs.provider }}
         INPUT_ANTHROPIC_API_KEY: ${{ inputs.anthropic-api-key }}
         INPUT_GITHUB_TOKEN: ${{ inputs.github-token }}
         INPUT_CONFIG_PATH: ${{ inputs.config-path }}
@@ -93,5 +98,6 @@ runs:
         INPUT_REQUEST_CHANGES: ${{ inputs.request-changes }}
         INPUT_FAIL_CHECK: ${{ inputs.fail-check }}
         INPUT_PARALLEL: ${{ inputs.parallel }}
+        WARDEN_PROVIDER: ${{ inputs.provider || env.WARDEN_PROVIDER }}
         CLAUDE_CODE_PATH: ${{ env.HOME }}/.local/bin/claude
       run: node ${{ github.action_path }}/dist/action/index.js

src/action/fix-evaluation/judge.ts

@@ -7,6 +7,7 @@ import { emptyUsage } from '../../sdk/usage.js';
 import { FixJudgeVerdictSchema } from './types.js';
 import type { FixJudgeResult } from './types.js';
 import { fetchFileContent, fetchFileLines } from './github.js';
+import type { Provider } from '../../config/schema.js';
 
 export interface FixJudgeInput {
   comment: ExistingComment;
@@ -212,7 +213,8 @@ export async function evaluateFix(
   input: FixJudgeInput,
   context: FixJudgeContext,
   apiKey: string,
-  maxRetries?: number
+  maxRetries?: number,
+  provider: Provider = 'claude'
 ): Promise<FixJudgeResult> {
   const fallback: FixJudgeResult = {
     verdict: { status: 'not_attempted', reasoning: 'Evaluation failed' },
@@ -225,6 +227,7 @@ export async function evaluateFix(
 
   const result = await callHaikuWithTools({
     apiKey,
+    provider,
     prompt,
     schema: FixJudgeVerdictSchema,
     tools: TOOL_DEFINITIONS,

src/action/inputs.test.ts

@@ -38,11 +38,19 @@ describe('parseActionInputs', () => {
       expect(inputs.anthropicApiKey).toBe('');
     });
 
-    it('throws when no auth token is found', () => {
+    it('allows empty auth tokens (validated later by provider)', () => {
       delete process.env['ANTHROPIC_API_KEY'];
       delete process.env['WARDEN_ANTHROPIC_API_KEY'];
       delete process.env['CLAUDE_CODE_OAUTH_TOKEN'];
-      expect(() => parseActionInputs()).toThrow('Authentication not found');
+      const inputs = parseActionInputs();
+      expect(inputs.anthropicApiKey).toBe('');
+      expect(inputs.oauthToken).toBe('');
+    });
+
+    it('parses provider from INPUT_PROVIDER', () => {
+      process.env['INPUT_PROVIDER'] = 'pi';
+      const inputs = parseActionInputs();
+      expect(inputs.provider).toBe('pi');
     });
   });
 

src/action/inputs.ts

@@ -7,14 +7,19 @@
 import { SeverityThresholdSchema } from '../types/index.js';
 import type { SeverityThreshold } from '../types/index.js';
 import { DEFAULT_CONCURRENCY } from '../utils/index.js';
+import type { Provider } from '../config/schema.js';
 
 // -----------------------------------------------------------------------------
 // Types
 // -----------------------------------------------------------------------------
 
 export interface ActionInputs {
+  /** Optional provider override (defaults to config/env) */
+  provider?: Provider;
   /** API key for Anthropic API (empty if using OAuth) */
   anthropicApiKey: string;
+  /** API key for Pi provider */
+  piApiKey?: string;
   /** OAuth token for Claude Code (empty if using API key) */
   oauthToken: string;
   githubToken: string;
@@ -58,31 +63,32 @@ function parseBooleanInput(value: string): boolean | undefined {
   return undefined;
 }
 
+function parseProviderInput(value: string): Provider | undefined {
+  return value === 'claude' || value === 'pi' ? value : undefined;
+}
+
 /**
  * Parse action inputs from the GitHub Actions environment.
  * Throws if required inputs are missing.
  */
 export function parseActionInputs(): ActionInputs {
-  // Check for auth token: supports both API keys and OAuth tokens
+  const providerInput = getInput('provider') || process.env['WARDEN_PROVIDER'] || '';
+  const provider = parseProviderInput(providerInput);
+
+  // Claude auth token: supports both API keys and OAuth tokens
   // Priority: input > WARDEN_ANTHROPIC_API_KEY > ANTHROPIC_API_KEY > CLAUDE_CODE_OAUTH_TOKEN
-  const authToken =
+  const claudeAuthToken =
     getInput('anthropic-api-key') ||
     process.env['WARDEN_ANTHROPIC_API_KEY'] ||
     process.env['ANTHROPIC_API_KEY'] ||
     process.env['CLAUDE_CODE_OAUTH_TOKEN'] ||
     '';
 
-  if (!authToken) {
-    throw new Error(
-      'Authentication not found. Provide an API key via anthropic-api-key input, ' +
-        'ANTHROPIC_API_KEY env var, or OAuth token via CLAUDE_CODE_OAUTH_TOKEN env var.'
-    );
-  }
-
   // Detect token type: OAuth tokens start with 'sk-ant-oat', API keys are other 'sk-ant-' prefixes
-  const isOAuthToken = authToken.startsWith('sk-ant-oat');
-  const anthropicApiKey = isOAuthToken ? '' : authToken;
-  const oauthToken = isOAuthToken ? authToken : '';
+  const isOAuthToken = claudeAuthToken.startsWith('sk-ant-oat');
+  const anthropicApiKey = isOAuthToken ? '' : claudeAuthToken;
+  const oauthToken = isOAuthToken ? claudeAuthToken : '';
+  const piApiKey = process.env['WARDEN_PI_API_KEY'] || '';
 
   const failOnInput = getInput('fail-on');
   const failOn = SeverityThresholdSchema.safeParse(failOnInput).success
@@ -101,7 +107,9 @@ export function parseActionInputs(): ActionInputs {
   const failCheck = parseBooleanInput(getInput('fail-check'));
 
   return {
+    provider,
     anthropicApiKey,
+    piApiKey,
     oauthToken,
     githubToken: getInput('github-token') || process.env['GITHUB_TOKEN'] || '',
     configPath: getInput('config-path') || 'warden.toml',
@@ -129,10 +137,18 @@ export function validateInputs(inputs: ActionInputs): void {
  * Sets appropriate env vars based on token type (API key vs OAuth).
  */
 export function setupAuthEnv(inputs: ActionInputs): void {
+  if (inputs.provider) {
+    process.env['WARDEN_PROVIDER'] = inputs.provider;
+  }
+  if (inputs.piApiKey) {
+    process.env['WARDEN_PI_API_KEY'] = inputs.piApiKey;
+  }
   if (inputs.oauthToken) {
     process.env['CLAUDE_CODE_OAUTH_TOKEN'] = inputs.oauthToken;
   } else {
-    process.env['WARDEN_ANTHROPIC_API_KEY'] = inputs.anthropicApiKey;
-    process.env['ANTHROPIC_API_KEY'] = inputs.anthropicApiKey;
+    if (inputs.anthropicApiKey) {
+      process.env['WARDEN_ANTHROPIC_API_KEY'] = inputs.anthropicApiKey;
+      process.env['ANTHROPIC_API_KEY'] = inputs.anthropicApiKey;
+    }
   }
 }

src/action/triggers/executor.test.ts

@@ -74,7 +74,8 @@ describe('executeTrigger', () => {
     octokit: mockOctokit,
     context: mockContext,
     config: mockConfig,
-    anthropicApiKey: 'test-key',
+    apiKey: 'test-key',
+    provider: 'claude',
     claudePath: '/test/claude',
     globalMaxFindings: 10,
   };

src/action/triggers/executor.ts

@@ -10,6 +10,7 @@ import { Sentry } from '../../sentry.js';
 import { ActionFailedError } from '../workflow/base.js';
 import type { ResolvedTrigger } from '../../config/loader.js';
 import type { WardenConfig } from '../../config/schema.js';
+import type { Provider } from '../../config/schema.js';
 import type { EventContext, SkillReport, SeverityThreshold, ConfidenceThreshold } from '../../types/index.js';
 import type { RenderResult } from '../../output/types.js';
 import type { OutputMode } from '../../cli/output/tty.js';
@@ -43,8 +44,9 @@ export interface TriggerExecutorDeps {
   octokit: Octokit;
   context: EventContext;
   config: WardenConfig;
-  anthropicApiKey: string;
-  claudePath: string;
+  apiKey: string;
+  provider: Provider;
+  claudePath?: string;
   /** Global fail-on from action inputs (trigger-specific takes precedence) */
   globalFailOn?: SeverityThreshold;
   /** Global report-on from action inputs (trigger-specific takes precedence) */
@@ -97,7 +99,7 @@ export async function executeTrigger(
     { op: 'trigger.execute', name: `execute ${trigger.name}` },
     async (span) => {
       span.setAttribute('skill.name', trigger.skill);
-      const { octokit, context, config, anthropicApiKey, claudePath } = deps;
+      const { octokit, context, config, apiKey, claudePath, provider } = deps;
 
       logGroup(`Running trigger: ${trigger.name} (skill: ${trigger.skill})`);
 
@@ -134,7 +136,8 @@ export async function executeTrigger(
           }),
           context: filterContextByPaths(context, trigger.filters),
           runnerOptions: {
-            apiKey: anthropicApiKey,
+            apiKey,
+            provider,
             model: trigger.model,
             maxTurns: trigger.maxTurns,
             batchDelayMs: config.defaults?.batchDelayMs,

src/action/workflow/base.ts

@@ -13,6 +13,8 @@ import { execFileNonInteractive } from '../../utils/exec.js';
 import type { EventContext, SkillReport } from '../../types/index.js';
 import { countSeverity } from '../../triggers/matcher.js';
 import type { TriggerResult } from '../triggers/executor.js';
+import type { Provider, WardenConfig } from '../../config/schema.js';
+import type { ActionInputs } from '../inputs.js';
 
 /**
  * Sentinel error thrown by setFailed() so the top-level catch handler
@@ -187,6 +189,21 @@ export function setWorkflowOutputs(outputs: WorkflowOutputs): void {
   setOutput('summary', outputs.summary);
 }
 
+export function resolveActionProvider(inputs: ActionInputs, config?: WardenConfig): Provider {
+  if (inputs.provider) return inputs.provider;
+  const envProvider = process.env['WARDEN_PROVIDER'];
+  if (envProvider === 'claude' || envProvider === 'pi') return envProvider;
+  const cfgProvider = config?.defaults?.provider;
+  if (cfgProvider === 'claude' || cfgProvider === 'pi') return cfgProvider;
+  return 'claude';
+}
+
+export function getActionProviderApiKey(provider: Provider, inputs: ActionInputs): string {
+  return provider === 'pi'
+    ? (inputs.piApiKey ?? inputs.anthropicApiKey)
+    : inputs.anthropicApiKey;
+}
+
 // -----------------------------------------------------------------------------
 // GitHub API Helpers
 // -----------------------------------------------------------------------------

src/action/workflow/pr-workflow.ts

@@ -48,6 +48,8 @@ import {
   setWorkflowOutputs,
   getAuthenticatedBotLogin,
   writeFindingsOutput,
+  resolveActionProvider,
+  getActionProviderApiKey,
 } from './base.js';
 
 // -----------------------------------------------------------------------------
@@ -148,7 +150,7 @@ async function initializeWorkflow(
   }
 
   // Resolve skills into triggers and match
-  const resolvedTriggers = resolveSkillConfigs(config);
+  const resolvedTriggers = resolveSkillConfigs(config, undefined, inputs.provider);
   const matchedTriggers = resolvedTriggers.filter((t) => matchTrigger(t, context, 'github'));
 
   if (matchedTriggers.length > 0) {
@@ -250,7 +252,9 @@ async function executeAllTriggers(
   inputs: ActionInputs
 ): Promise<TriggerResult[]> {
   const concurrency = config.runner?.concurrency ?? inputs.parallel;
-  const claudePath = await findClaudeCodeExecutable();
+  const provider = resolveActionProvider(inputs, config);
+  const apiKey = getActionProviderApiKey(provider, inputs);
+  const claudePath = provider === 'claude' ? await findClaudeCodeExecutable() : undefined;
 
   // Global semaphore gates file-level work across all triggers.
   // All triggers launch immediately; the semaphore limits concurrent file analyses.
@@ -264,7 +268,8 @@ async function executeAllTriggers(
         octokit,
         context,
         config,
-        anthropicApiKey: inputs.anthropicApiKey,
+        apiKey,
+        provider,
         claudePath,
         globalFailOn: inputs.failOn,
         globalReportOn: inputs.reportOn,

src/action/workflow/schedule.ts

@@ -26,6 +26,8 @@ import {
   handleTriggerErrors,
   getDefaultBranchFromAPI,
   writeFindingsOutput,
+  resolveActionProvider,
+  getActionProviderApiKey,
 } from './base.js';
 
 // -----------------------------------------------------------------------------
@@ -67,7 +69,9 @@ export async function runScheduleWorkflow(
   }
 
   // Find schedule triggers
-  const scheduleTriggers = resolveSkillConfigs(config).filter((t) => t.type === 'schedule');
+  const scheduleTriggers = resolveSkillConfigs(config, undefined, inputs.provider).filter((t) => t.type === 'schedule');
+  const provider = resolveActionProvider(inputs, config);
+  const apiKey = getActionProviderApiKey(provider, inputs);
   if (scheduleTriggers.length === 0) {
     console.log('No schedule triggers configured');
     setOutput('findings-count', 0);
@@ -147,9 +151,10 @@ export async function runScheduleWorkflow(
       const skill = await resolveSkillAsync(resolved.skill, repoPath, {
         remote: resolved.remote,
       });
-      const claudePath = await findClaudeCodeExecutable();
+      const claudePath = provider === 'claude' ? await findClaudeCodeExecutable() : undefined;
       const report = await runSkill(skill, context, {
-        apiKey: inputs.anthropicApiKey,
+        apiKey,
+        provider,
         model: resolved.model,
         maxTurns: resolved.maxTurns,
         batchDelayMs: config.defaults?.batchDelayMs,

src/cli/args.test.ts

@@ -66,6 +66,11 @@ describe('parseCliArgs', () => {
     expect(result.options.config).toBe('./custom.toml');
   });
 
+  it('parses --provider option', () => {
+    const result = parseCliArgs(['--provider', 'pi']);
+    expect(result.options.provider).toBe('pi');
+  });
+
   it('parses --json flag', () => {
     const result = parseCliArgs(['--json']);
     expect(result.options.json).toBe(true);