Skip to content

Add Claude Code GitHub Workflow #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 6, 2025
Merged

Add Claude Code GitHub Workflow #1

merged 2 commits into from
Nov 6, 2025

Conversation

@alirezarezvani
Copy link
Owner

@alirezarezvani alirezarezvani commented Nov 6, 2025

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

  • Bug fixes and improvements
  • Documentation updates
  • Implementing new features
  • Code reviews and suggestions
  • Writing tests
  • And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

  • This workflow won't take effect until this PR is merged
  • @claude mentions won't work until after the merge is complete
  • The workflow runs automatically whenever Claude is mentioned in PR or issue comments
  • Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

  • Our Anthropic API key is securely stored as a GitHub Actions secret
  • Only users with write access to the repository can trigger the workflow
  • All Claude runs are stored in the GitHub Actions run history
  • Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
  • We can add more allowed tools by adding them to the workflow file like:
allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

@alirezarezvani alirezarezvani merged commit 9086f02 into main Nov 6, 2025
1 check passed
@alirezarezvani alirezarezvani deleted the add-claude-github-actions-1762417279481 branch November 6, 2025 08:22
@claude
Copy link

claude bot commented Nov 6, 2025

Code Review: Add Claude Code GitHub Workflow

Thank you for setting up the Claude Code integration! This is a well-structured PR that adds two complementary workflows. Here's my detailed review:

Strengths

  1. Clear separation of concerns: Two workflows with distinct purposes

    • claude.yml: Interactive @claude mentions in comments
    • claude-code-review.yml: Automated reviews on PR creation/updates

  2. Good security practices:

    • Using CLAUDE_CODE_OAUTH_TOKEN as a secret
    • Minimal permissions model (read-only access where possible)
    • id-token: write for proper authentication
    • Scoped tool allowlist in code-review workflow

  3. Well-documented: Helpful inline comments explaining optional configurations

  4. Proper GitHub Actions setup:

    • Using latest actions/checkout@v4
    • Appropriate trigger events
    • Shallow fetch (fetch-depth: 1) for performance

🔍 Observations & Recommendations

1. Permissions Discrepancy

Issue: The claude.yml workflow (line 21-26) is missing pull-requests: write permission, but claude-code-review.yml also only has read permissions yet needs to comment on PRs.

Impact: Both workflows may fail when trying to post comments since they need write access to create PR comments.

Recommendation: Add pull-requests: write to both workflows

@claude
Copy link

claude bot commented Nov 6, 2025

🔍 Observations & Recommendations (continued)

2. Potential Recursive Trigger Risk

Issue: In claude.yml (lines 15-19), if Claude posts a comment that contains "@claude", it could potentially trigger itself again.

Impact: Could create an infinite loop of workflow runs.

Recommendation: Add a bot user check to prevent self-triggering.

3. Missing issues: write Permission

Issue: The workflows have issues: read but may need issues: write if Claude needs to comment on issues or update issue descriptions.

Recommendation: Consider adding issues: write if Claude should be able to respond to issue comments.

4. Code Review Workflow Runs on Self-Referential PR

Observation: The claude-code-review.yml workflow will run on this very PR once merged, which could be confusing.

Recommendation: Consider adding a path filter to exclude workflow changes or add a condition to skip reviewing workflow-related PRs.

5. Hardcoded Tool Allowlist

Observation: claude-code-review.yml (line 56) has a specific tool allowlist, but claude.yml has it commented out.

Recommendation: For consistency and security, consider defining an allowlist in claude.yml too.

6. Error Handling

Observation: No explicit error handling or failure notifications.

Recommendation: Consider adding a notification step on failure to alert when the workflow encounters issues.

@claude
Copy link

claude bot commented Nov 6, 2025

🔐 Security Review

Good:

  • Secrets properly referenced
  • Minimal permission model
  • Tool allowlist in code-review workflow

⚠️ Consider:

  • Missing pull-requests: write means workflows can't post comments (potential failure point)
  • No rate limiting or abuse prevention for @claude mentions
  • Consider adding a check for write access to prevent unauthorized users from triggering expensive workflows

Performance Considerations

Good:

  • fetch-depth: 1 minimizes clone time
  • Conditional execution prevents unnecessary runs
  • Scoped triggers (specific event types)

💡 Suggestions:

  • The code-review workflow will run on every PR. Consider adding filters for teams that want to limit scope
  • Consider adding a timeout to prevent long-running workflows (e.g., timeout-minutes: 15)

🧪 Test Coverage

⚠️ Missing: No tests for the workflows themselves.

Recommendation: After merging, consider:

  1. Testing @claude mentions in a test issue
  2. Creating a test PR to verify code-review workflow
  3. Verifying permissions work correctly
  4. Testing the CLAUDE_CODE_OAUTH_TOKEN secret is properly configured

@claude
Copy link

claude bot commented Nov 6, 2025

📋 Summary

Verdict: ✅ Approve with minor changes recommended

This is a solid implementation of Claude Code integration. The main actionable items are:

  1. Critical: Add pull-requests: write permission to both workflows
  2. Important: Add bot self-trigger prevention to claude.yml
  3. Recommended: Add timeout limits and error notifications

The code is well-structured, secure, and follows GitHub Actions best practices. The PR description is excellent and clearly explains the functionality and security model.

🚀 Post-Merge Checklist

  • Verify CLAUDE_CODE_OAUTH_TOKEN secret is set in repository settings
  • Test @claude mention in a comment
  • Create a test PR to verify auto-review functionality
  • Monitor first few workflow runs for issues
  • Update team documentation on how to use @claude

Great work on the implementation! 🎉

Files Reviewed:

  • .github/workflows/claude.yml (50 lines)
  • .github/workflows/claude-code-review.yml (57 lines)

Review completed by Claude Code 🤖

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alirezarezvani