Skip to content

Add Claude Code GitHub Workflow #14

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Xerolux merged 2 commits into from
Nov 19, 2025
Merged

Add Claude Code GitHub Workflow #14

Xerolux merged 2 commits into from
Nov 19, 2025

Conversation

@Xerolux
Copy link
Owner

@Xerolux Xerolux commented Nov 19, 2025

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

  • Bug fixes and improvements
  • Documentation updates
  • Implementing new features
  • Code reviews and suggestions
  • Writing tests
  • And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

  • This workflow won't take effect until this PR is merged
  • @claude mentions won't work until after the merge is complete
  • The workflow runs automatically whenever Claude is mentioned in PR or issue comments
  • Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

  • Our Anthropic API key is securely stored as a GitHub Actions secret
  • Only users with write access to the repository can trigger the workflow
  • All Claude runs are stored in the GitHub Actions run history
  • Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
  • We can add more allowed tools by adding them to the workflow file like:
allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

@Xerolux Xerolux merged commit 2462daa into main Nov 19, 2025
1 check passed
@Xerolux Xerolux deleted the add-claude-github-actions-1763574110422 branch November 19, 2025 17:41
@claude
Copy link

claude bot commented Nov 19, 2025

🔍 Pull Request Review: Add Claude Code GitHub Workflow

Summary

This PR adds two GitHub Actions workflows to enable Claude Code integration for automated code reviews and interactive assistance via @claude mentions.

✅ What Looks Good

  1. Well-structured workflows: Both workflows are cleanly organized with appropriate triggers and conditions
  2. Security-conscious: Uses OAuth token stored as a secret (CLAUDE_CODE_OAUTH_TOKEN)
  3. Minimal permissions: Both workflows follow the principle of least privilege with only necessary permissions
  4. Good documentation: The PR description clearly explains the purpose and usage

🔧 Suggestions for Improvement

1. Permission Inconsistency

The claude-code-review.yml workflow has pull-requests: read but needs pull-requests: write to post comments:

permissions:
  contents: read
  pull-requests: write  # Changed from read to write
  issues: read
  id-token: write

Similarly, claude.yml should have pull-requests: write and issues: write if Claude needs to comment:

permissions:
  contents: read
  pull-requests: write  # Changed from read to write
  issues: write         # Changed from read to write
  id-token: write
  actions: read

2. Consider Adding Concurrency Controls

To prevent multiple Claude instances from running simultaneously on the same PR:

concurrency:
  group: claude-review-${{ github.event.pull_request.number }}
  cancel-in-progress: true

3. Add Timeout

Consider adding a timeout to prevent runaway workflows:

jobs:
  claude-review:
    runs-on: ubuntu-latest
    timeout-minutes: 10  # Reasonable timeout for code reviews

4. Branch Protection Consideration

The claude.yml workflow doesn't restrict which branches can trigger it. Consider adding branch filtering if you want to limit Claude's scope.

🔒 Security Considerations

  1. Access Control: The claude.yml workflow triggers on any comment containing @claude. Ensure that the workflow only runs for users with appropriate repository permissions. The action may handle this internally, but it's worth verifying.

  2. Token Scope: Verify that CLAUDE_CODE_OAUTH_TOKEN has the minimum necessary scopes.

  3. Content Trust: Since the claude-code-review.yml uses the PR diff content in its prompt, ensure the action sanitizes inputs appropriately to prevent prompt injection.

📋 Test Coverage

This PR adds workflow configuration files only - no application code changes. Consider:

  • Testing the workflows on a non-production branch first
  • Documenting expected behavior in a CONTRIBUTING.md or similar

🎯 Performance Considerations

  • fetch-depth: 1 is appropriate for these use cases, keeping checkout fast
  • Consider caching strategies if Claude will need to build or analyze large codebases

📝 Minor Suggestions

  1. Consistent naming: Consider renaming claude.yml to claude-assistant.yml for clarity alongside claude-code-review.yml

  2. Add workflow_dispatch: Consider adding manual trigger capability for testing:

    on:
  workflow_dispatch:
  issue_comment:
    types: [created]

Verdict

LGTM with minor suggestions

The core implementation is solid. The permission issue for posting comments should be addressed, but otherwise this is ready to merge. The workflows will enable valuable AI-assisted code review and interactive assistance capabilities.

This review was generated by Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Xerolux