Add Claude Code dispatch workflow

[Helmi]

Summary

• Add GitHub Actions workflow for Claude Code dispatch functionality
• Enables remote agent mode for automated code assistance

Test plan

• Workflow will be triggered via repository_dispatch events
• Requires appropriate permissions for contents, PRs, and issues

Summary by CodeRabbit

• Chores
  • Introduced a GitHub Actions workflow named “Claude Code Dispatch” that runs on repository dispatch events.
  • Executes Claude Code in remote-agent mode within a single job on Ubuntu runners.
  • Configures necessary write permissions and shallow repository checkout for efficient runs.
  • Enhances automation and consistency for code-related operations in the pipeline.

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

Introduces a new GitHub Actions workflow (.github/workflows/claude-dispatch.yml) named “Claude Code Dispatch” that listens to repository_dispatch events (type: claude-dispatch), grants specific write permissions, checks out the repo, and runs anthropics/claude-code-action@eap in remote-agent mode.

Changes

Cohort / File(s)	Summary
CI/CD Workflow: Claude dispatch \.github/workflows/claude-dispatch.yml	Adds a workflow triggered by repository_dispatch (type: claude-dispatch). One job (claude-dispatch) on ubuntu-latest with write permissions for contents, pull-requests, issues, id-token. Steps: checkout (fetch-depth: 1) and run anthropics/claude-code-action@eap in remote-agent mode.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    actor Client as External System
    participant GH as GitHub (Repo)
    participant WF as GitHub Actions Runner
    participant Action as claude-code-action (remote-agent)

    Client->>GH: repository_dispatch (type: claude-dispatch)
    GH-->>WF: Trigger workflow "Claude Code Dispatch"
    rect rgb(235, 245, 255)
    note right of WF: Job: claude-dispatch (ubuntu-latest)
    WF->>WF: Checkout repo (fetch-depth: 1)
    WF->>Action: Run anthropics/claude-code-action@eap<br/>mode=remote-agent
    end
    Action-->>WF: Execution result (logs/status)
    WF-->>GH: Job completion (uses write perms as configured)

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 11d9e32 and d7ee6e9.

📒 Files selected for processing (1)

• .github/workflows/claude-dispatch.yml (1 hunks)

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch install/claude-code-dispatch

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[claude]

Claude finished @Helmi's task —— View job

---

PR Review: Claude Code Dispatch Workflow

Reviewing this PR that adds GitHub Actions workflow for Claude Code dispatch functionality.

Todo List:

• Read and analyze the workflow file
• Check code quality and best practices
• Identify potential bugs or issues
• Evaluate security concerns
• Assess performance considerations
• Check test coverage implications
• Provide comprehensive review feedback

---

Code Review Feedback

✅ Strengths

1. Clean Structure: The workflow follows GitHub Actions best practices with clear naming and organization
2. Appropriate Trigger: Uses repository_dispatch with specific type filtering (claude-dispatch) which is secure and controlled
3. Minimal Checkout: Uses fetch-depth: 1 for efficiency
4. Latest Actions: Uses actions/checkout@v4 which is the current stable version

⚠️ Security & Best Practices Concerns

1. Overly Broad Permissions - .github/workflows/claude-dispatch.yml:10-14

   permissions:
     contents: write     # ❌ Very broad - allows full repository write access
     pull-requests: write
     issues: write
     id-token: write

   Issue: The contents: write permission is extremely broad and allows Claude to modify any file in the repository, including sensitive ones like workflows, secrets, or configuration files.

   Recommendation: Consider if contents: write is truly needed, or if more restricted permissions would suffice. The existing claude.yml workflow uses only contents: read which is much safer.

2. Missing Input Validation - .github/workflows/claude-dispatch.yml:21-25

   - name: Run Claude Code
     uses: anthropics/claude-code-action@eap
     with:
       mode: 'remote-agent'

   Issue: The workflow accepts any repository_dispatch event of type claude-dispatch without validating the payload or source.

   Recommendation: Add validation for:

   • Event payload structure
   • Authentication/authorization of the dispatch source
   • Rate limiting considerations

3. Pre-release Action Version - .github/workflows/claude-dispatch.yml:23

   uses: anthropics/claude-code-action@eap

   Issue: Using @eap (Early Access Program) version in production could introduce instability.

   Recommendation: Consider using a stable version tag like @beta (as used in other workflows) or a specific commit SHA for better stability and security.

🔄 Comparison with Existing Workflows

Your repository already has two Claude Code workflows:

• claude.yml: Uses @beta version with contents: read (more secure)
• claude-code-review.yml: Uses @beta version with contents: read for reviews

Inconsistencies:

1. Version mismatch (@eap vs @beta)
2. Permission escalation (contents: write vs contents: read)
3. Missing configuration options that other workflows have

🚀 Performance Considerations

The workflow is lightweight and efficient:

• ✅ Minimal checkout depth
• ✅ Single job with focused steps
• ✅ No unnecessary dependencies

🧪 Test Coverage

Missing: No integration tests or validation for the dispatch functionality. Consider:

1. Testing the workflow trigger mechanism
2. Validating remote-agent mode behavior
3. Testing permission boundaries

🛠️ Recommendations for Improvement

1. Reduce Permissions (High Priority):

   permissions:
     contents: read      # Instead of write
     pull-requests: write
     issues: write
     id-token: write

2. Add Input Validation:

   - name: Validate Dispatch
     run: |
       if [ -z "${{ github.event.client_payload }}" ]; then
         echo "Error: No payload provided"
         exit 1
       fi

3. Use Stable Version:

   uses: anthropics/claude-code-action@beta  # Instead of @eap

4. Add Environment Context:

   with:
     mode: 'remote-agent'
     # Add any necessary configuration

🎯 Overall Assessment

This is a functional workflow that enables Claude Code dispatch functionality, but it has security concerns that should be addressed before merging. The primary issue is the overly broad contents: write permission which could pose security risks.

Recommendation: Address the permission concerns and align with the security model used in your other Claude workflows before merging.

---