Add Claude Code GitHub Workflow

[daveio]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

Summary by Sourcery

Add GitHub Actions workflows to integrate Claude Code for on-demand assistance via comments and automated code review on pull requests.

New Features:

• Introduce a Claude Code workflow that runs when @claude is mentioned in issue and pull request comments to perform requested repository actions.
• Add an automated Claude Code Review workflow that runs on pull request events to provide AI-powered code reviews.

[trunk-io]

Merging to main in this repository is managed by Trunk.

• To merge this pull request, check the box to the left or comment /trunk merge below.

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[sourcery-ai]

Reviewer's Guide

Adds two GitHub Actions workflows to integrate Claude Code into the repository: one for ad-hoc @claude mentions on issues/PRs and one for automatic Claude-powered code review on pull requests.

Sequence diagram for ad-hoc @claude mentions workflow

sequenceDiagram
  actor Developer
  participant GitHub
  participant ClaudeWorkflow as Workflow_Claude_Code
  participant ClaudeJob as Job_claude
  participant Checkout as Checkout_repository
  participant ClaudeAction as Claude_Code_Action
  participant Anthropic as Anthropic_API

  Developer->>GitHub: Create issue, PR comment, or review with @claude
  GitHub-->>GitHub: Emit issue_comment, pull_request_review_comment, pull_request_review, or issues event
  GitHub->>ClaudeWorkflow: Trigger claude.yml workflow
  ClaudeWorkflow-->>ClaudeWorkflow: Evaluate if condition for @claude mention
  ClaudeWorkflow->>ClaudeJob: Start job claude when condition is true
  ClaudeJob->>Checkout: Run actions/checkout@v4
  Checkout-->>ClaudeJob: Repository checked out
  ClaudeJob->>ClaudeAction: Run anthropics/claude-code-action@v1 with claude_code_oauth_token
  ClaudeAction->>Anthropic: Call Claude API with comment and PR/issue context
  Anthropic-->>ClaudeAction: Generated instructions and changes
  ClaudeAction->>GitHub: Create comments, branches, or commits in repo
  GitHub-->>Developer: Display Claude response and changes in PR or issue

Loading

Sequence diagram for automatic Claude Code Review on pull requests

sequenceDiagram
  actor Developer
  participant GitHub
  participant ReviewWorkflow as Workflow_Claude_Code_Review
  participant ReviewJob as Job_claude_review
  participant Checkout as Checkout_repository
  participant ClaudeAction as Claude_Code_Action
  participant Anthropic as Anthropic_API

  Developer->>GitHub: Open or update pull request
  GitHub-->>GitHub: Emit pull_request event (opened, synchronize, ready_for_review, reopened)
  GitHub->>ReviewWorkflow: Trigger claude-code-review.yml workflow
  ReviewWorkflow-->>ReviewJob: Start job claude-review
  ReviewJob->>Checkout: Run actions/checkout@v4
  Checkout-->>ReviewJob: Repository checked out
  ReviewJob->>ClaudeAction: Run anthropics/claude-code-action@v1
  ClaudeAction-->>ClaudeAction: Load plugins and prompt for code review
  ClaudeAction->>Anthropic: Request code review for pull request
  Anthropic-->>ClaudeAction: Review results and suggestions
  ClaudeAction->>GitHub: Post review comments to pull request
  GitHub-->>Developer: Show Claude Code Review feedback on PR

Loading

File-Level Changes

Change	Details	Files
Introduce a workflow that runs Claude Code when @claude is mentioned in issues or PR-related comments.	Configure triggers for issue comments, PR review comments, PR reviews, and issues with @claude in body or title. Gate the workflow job with a conditional expression that checks for @claude in the relevant event payload fields. Define a job that checks out the repo and invokes the anthropics/claude-code-action@v1 with the OAuth token secret and optional settings for additional permissions and customization.	.github/workflows/claude.yml
Add an automatic Claude Code Review workflow that runs on pull request lifecycle events.	Set up triggers on pull_request events (opened, synchronize, ready_for_review, reopened) with commented examples for path filters. Define a claude-review job with minimal read permissions and checkout of the repository. Run anthropics/claude-code-action@v1 configured for code review by specifying plugin marketplaces, the code-review plugin, and a prompt that targets the current pull request.	.github/workflows/claude-code-review.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

We've reviewed this pull request using the Sourcery rules engine

[claude]

PR Review: Add Claude Code GitHub Workflow

I've reviewed this PR and found some issues that should be addressed before merging.

🔴 Critical Issue: Duplicate Workflow Files

This PR adds .yml versions of workflows that already exist in the repository as .yaml files:

New File (this PR)	Existing File
.github/workflows/claude.yml	.github/workflows/claude.yaml
.github/workflows/claude-code-review.yml	.github/workflows/claude-code-review.yaml

Merging this PR will result in duplicate workflows running for the same events, which could cause:

• Double comments on PRs and issues
• Wasted GitHub Actions minutes
• Potential conflicts or race conditions

Recommendation: Either delete this PR (the functionality already exists), or update it to replace/remove the existing .yaml files.

📋 Comparison with Existing Workflows

The existing .yaml workflows have some advantages over the new .yml files:

Security & Pinning

Aspect	New .yml files	Existing .yaml files
Actions pinning	Uses @v4, @v1 (mutable tags)	Uses full SHA commits (immutable)
Security	⚠️ Less secure	✅ More secure

Using mutable version tags (@v1, @v4) means the underlying action code could change without you knowing, potentially introducing security vulnerabilities. The existing workflows use pinned SHA commits which is a better security practice.

Permissions

Workflow	New .yml	Existing .yaml
claude.yml	pull-requests: read, issues: read	pull-requests: write, issues: write
claude-code-review.yml	pull-requests: read, issues: read	pull-requests: write, issues: write

The new workflows use read permissions while existing ones use write. The write permissions are needed for Claude to:

• Post comments on PRs and issues
• The read permissions in the new files would prevent Claude from commenting

Model & Tools Configuration

The existing .yaml workflows include explicit model and tool configurations:

claude_args: --model opus --allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"

The new .yml files lack these configurations, which could result in different behavior.

Code Review Trigger Events

Workflow	New .yml	Existing .yaml
claude-code-review	ready_for_review, reopened included	Only opened, synchronize

The new workflow triggers on more events, though this may or may not be desired.

🔒 Security Concerns

1. Mutable action tags: Replace @v4 and @v1 with pinned SHA commits (see existing workflows for examples)

2. Plugin marketplace reference: The new claude-code-review.yml includes:

   plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
   plugins: 'code-review@claude-code-plugins'

   This uses an external plugin that wasn't present in the existing setup. Verify this is intentional and review what this plugin does.

✅ What's Good

• The PR description is comprehensive and helpful
• OAuth token is properly stored as a secret
• The id-token: write permission is included for OIDC authentication

📝 Recommendations

1. Don't merge as-is — this will create duplicate workflows
2. Decide on the approach:
   • Option A: Close this PR since functionality already exists
   • Option B: Update this PR to replace the existing .yaml files, incorporating their security improvements (SHA pinning, proper permissions)
3. If proceeding, pin all GitHub Actions to SHA commits
4. If proceeding, ensure write permissions for PRs/issues so Claude can comment

---

This review was generated by Claude Code

[Copilot]

Pull request overview

This PR adds two new GitHub Actions workflow files (.yml versions) for Claude Code integration. The workflows enable AI-powered code assistance through @claude mentions in issues/PRs and automated code reviews on pull requests. However, there are existing .yaml versions of these workflows already present in the repository with more secure configurations.

Changes:

• Added .github/workflows/claude.yml for handling @claude mentions in issues and PRs
• Added .github/workflows/claude-code-review.yml for automated PR code reviews

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 11 comments.

File	Description
.github/workflows/claude.yml	Defines workflow for triggering Claude Code via @claude mentions, but lacks write permissions and security hardening present in existing .yaml version
.github/workflows/claude-code-review.yml	Defines automated code review workflow using Claude plugins, but lacks write permissions and uses different approach than existing .yaml version

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The workflow name has changed from "claude-code-review" (in the existing .yaml file) to "Claude Code Review" (in this new .yml file). This inconsistency in naming conventions may cause confusion when viewing GitHub Actions runs. Consider using consistent naming across both file formats.

Suggested change

	name: Claude Code Review
	name: claude-code-review

[Copilot]

The new .yml workflow includes additional PR trigger types (ready_for_review, reopened) compared to the existing .yaml version which only triggers on opened and synchronize. While these additional triggers may be intentional improvements, they will cause the workflow to run more frequently and consume more API quota. Ensure this increased frequency is desired and necessary.

Suggested change

	types: [opened, synchronize, ready_for_review, reopened]
	types: [opened, synchronize]

[Copilot]

The permissions are set to read-only for pull-requests and issues, but Claude Code needs write permissions to create comments and interact with the repository. The existing .yaml version of this workflow correctly includes pull-requests: write and issues: write permissions. Without write permissions, Claude won't be able to respond to mentions or perform requested actions.

Suggested change

	pull-requests: read
	issues: read
	pull-requests: write
	issues: write

[Copilot]

The permissions are set to read-only for pull-requests and issues, but Claude Code needs write permissions to post review comments. The existing .yaml version of this workflow correctly includes pull-requests: write and issues: write permissions. Without write permissions, the code review workflow won't be able to post its findings.

Suggested change

	pull-requests: read
	issues: read
	pull-requests: write
	issues: write

[Copilot]

The workflow name has changed from "claude-code" (in the existing .yaml file) to "Claude Code" (in this new .yml file). This inconsistency in naming conventions may cause confusion when viewing GitHub Actions runs. Consider using consistent naming across both file formats.

Suggested change

	name: Claude Code
	name: claude-code

[Copilot]

Using @v1 as the version tag can be risky as it may point to different commits over time and could introduce breaking changes without warning. The existing .yaml workflow pins to a specific commit hash (a017b830c03e23789b11fb69ed571ea61c12e45c) which is more secure and ensures reproducible builds. Consider pinning to a specific commit SHA instead of using a floating tag.

Suggested change

	uses: anthropics/claude-code-action@v1
	uses: anthropics/claude-code-action@a017b830c03e23789b11fb69ed571ea61c12e45c

[Copilot]

Using @v4 as a floating tag is less secure than pinning to a specific commit hash. The existing .yaml workflow pins checkout to a specific commit (8e8c483db84b4bee98b60c0593521ed34d9990e8) which ensures reproducible builds and prevents potential security issues from unexpected updates. Consider pinning to a specific commit SHA.

Suggested change

	uses: actions/checkout@v4
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11

[Copilot]

Using @v4 as a floating tag is less secure than pinning to a specific commit hash. The existing .yaml workflow pins checkout to a specific commit (8e8c483db84b4bee98b60c0593521ed34d9990e8) which ensures reproducible builds and prevents potential security issues from unexpected updates. Consider pinning to a specific commit SHA.

Suggested change

	uses: actions/checkout@v4
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11

[Copilot]

The new .yml workflow lacks the allowed-tools configuration present in the existing .yaml version. The .yaml version restricts Claude to specific GitHub CLI commands (gh issue view, gh search, gh pr comment, etc.) which limits potential security risks. Without this restriction, Claude may have broader access than intended. Consider adding the claude_args parameter with allowed-tools restrictions.

Suggested change

	# claude_args: '--allowed-tools Bash(gh pr:*)'
	claude_args: '--allowed-tools Bash(gh issue view,gh search,gh pr comment)'

[Copilot]

The new .yml workflow uses a different approach (plugin_marketplaces and plugins) compared to the existing .yaml version which uses a custom prompt and allowed-tools. The .yaml version provides more explicit guidance about what to review and restricts tools to specific GitHub CLI commands. The plugin-based approach may have different behavior and security implications. Ensure that the code-review plugin provides equivalent or better functionality and security controls.

[sentry]

Bug: This PR adds new workflow files (.yml) without removing the old ones (.yaml), which will cause duplicate workflow runs for the same triggers.
_{Severity: MEDIUM}

Suggested Fix

The old workflow files (.github/workflows/claude.yaml and .github/workflows/claude-code-review.yaml) should be deleted as part of this pull request to ensure only the new .yml versions are executed, preventing redundant runs.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: .github/workflows/claude-code-review.yml#L1

Potential issue: The pull request introduces new GitHub Actions workflow files
(`claude.yml`, `claude-code-review.yml`) without removing the old ones (`claude.yaml`,
`claude-code-review.yaml`). Since GitHub Actions treats files with different extensions
as separate workflows, both the old and new versions will be triggered by the same
events (e.g., pull request creation). This will cause duplicate, redundant workflow
runs, wasting CI/CD resources. Furthermore, the new `.yml` workflows have different and
potentially incorrect configurations compared to the existing `.yaml` files, which could
lead to inconsistent behavior or runtime failures.

_{Did we get this right? 👍 / 👎 to inform future reviews.}

[sentry]

Bug: The new workflow files grant only read permissions for pull-requests and issues, but the action requires write permissions to post comments, which will cause runtime failures.
_{Severity: HIGH}

Suggested Fix

In the new workflow files (.github/workflows/claude.yml and .github/workflows/claude-code-review.yml), update the permissions block to grant write access for pull-requests and issues. For example, change pull-requests: read to pull-requests: write.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: .github/workflows/claude-code-review.yml#L22-L26

Potential issue: The new GitHub Actions workflows (`claude.yml` and
`claude-code-review.yml`) are configured with `read` permissions for `pull-requests` and
`issues`. However, the action `anthropics/claude-code-action@v1` requires `write`
permissions to post comments on pull requests and issues, which is a stated goal of the
workflow. When the action attempts to perform a write operation, such as posting a
review comment, the workflow will fail with a permission denied error from GitHub
Actions. The existing `.yaml` workflows correctly specify `write` permissions,
confirming this requirement.

_{Did we get this right? 👍 / 👎 to inform future reviews.}