Add Claude Code GitHub Workflow

[cblanc]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

Summary by CodeRabbit

• New Features

  • Introduced AI-assisted code reviews automatically on pull requests.
  • Enabled on-demand assistance by mentioning @claude in issues and PR review comments.

• Chores

  • Added CI workflows to run the assistant with least-privilege permissions and secure token handling.
  • Included optional filters to limit when reviews run and examples for customizing prompts and tool access.
  • No impact on application behavior or public APIs.

[coderabbitai]

Walkthrough

Adds two GitHub Actions workflows: one auto-reviews pull requests using a Claude code review action on PR events; the other runs the Claude action on comment/review/issue events when an @claude mention is detected. Both check out the repo, use ANTHROPIC_API_KEY, and set scoped permissions.

Changes

Cohort / File(s)	Summary
PR auto code review workflow `.github/workflows/claude-code-review.yml`	New workflow "Claude Code Review" triggered on pull_request (opened, synchronize). Checks out code, runs anthropics/claude-code-action@v1 with a review prompt, constrained `claude_args`, and read-level permissions; includes commented author filter.
Mention-triggered Claude workflow `.github/workflows/claude.yml`	New workflow "Claude Code" triggered on issue_comment, pull_request_review_comment, issues (opened, assigned), and pull_request_review (submitted). Job runs only when an @claude mention is present; checks out code and runs anthropics/claude-code-action@v1 with minimal permissions; optional prompt/args commented.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as GitHub
  participant WF as Workflow: claude-code-review
  participant Action as anthropics/claude-code-action@v1

  Dev->>GH: Open/Synchronize Pull Request
  GH-->>WF: Trigger on pull_request
  WF->>WF: Checkout repo (fetch-depth: 1)
  WF->>Action: Run with ANTHROPIC_API_KEY, prompt, claude_args
  Action-->>WF: Review output
  WF->>GH: Post PR comment (gh pr comment)

Loading

sequenceDiagram
  autonumber
  actor User as User
  participant GH as GitHub
  participant WF as Workflow: claude
  participant Action as anthropics/claude-code-action@v1

  User->>GH: Create Issue/PR Review/Comment (may include @claude)
  GH-->>WF: Trigger on event
  alt Contains @claude
    WF->>WF: Checkout repo (fetch-depth: 1)
    WF->>Action: Run with ANTHROPIC_API_KEY
    Action-->>WF: Response
    WF->>GH: Post reply via GitHub APIs
  else No mention
    WF-->>GH: Skip job
  end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "Add Claude Code GitHub Workflow" is concise and accurately describes the primary change: adding a GitHub Actions integration for Claude Code to the repository. It is specific, readable, and directly related to the workflow files added in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch add-claude-github-actions-1758114298183

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (11)

.github/workflows/claude.yml (6)

28-31: Pin actions to immutable SHAs.

Prevents supply‑chain drift on runners.

Apply:

-        uses: actions/checkout@v4
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
         with:
           fetch-depth: 1
+          persist-credentials: false

---

33-41: Pin the Claude action; avoid permissive extra permissions here.

Pin to a commit SHA; keep job-level permissions the single source of truth.

Apply:

-        uses: anthropics/claude-code-action@v1
+        uses: anthropics/claude-code-action@1a2b3c4d5e6f7g8h9i0j # v1 (pin to real commit)
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
-
-          # This is an optional setting that allows Claude to read CI results on PRs
-          additional_permissions: |
-            actions: read
+          # No additional_permissions; rely on job-level permissions

---

3-11: Consider narrowing triggers to reduce noise.

Running on issues.assigned can cause unintended runs if a title contains “@claude”. Recommend limiting to comments or add label filter.

Suggested:

   issues:
-    types: [opened, assigned]
+    types: [opened]

Or require a label via an early step to exit non‑matching issues.

---

13-20: Add concurrency and timeout to avoid duplicate/long runs.

Apply:

 jobs:
   claude:
+    concurrency:
+      group: claude-${{ github.workflow }}-${{ github.event_name }}-${{ github.run_id || github.event.number || github.ref }}
+      cancel-in-progress: true
+    timeout-minutes: 20

---

15-20: Case sensitivity: accept “@claude” too.

You already match “@claude”; also match “@claude” (covered in earlier diff).

---

51-51: YAML lint: trailing blank line.

Remove extra line to appease linters.

- 

.github/workflows/claude-code-review.yml (5)

28-33: Pin checkout and tighten settings.

Apply:

-        uses: actions/checkout@v4
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
         with:
           fetch-depth: 1
+          persist-credentials: false

If switching to pull_request_target, remove this checkout entirely.

---

34-54: Pin Claude action and add concurrency/timeout.

Also, keep allowed tools minimal.

Apply:

-        uses: anthropics/claude-code-action@v1
+        uses: anthropics/claude-code-action@1a2b3c4d5e6f7g8h9i0j # v1 (pin to real commit)
@@
-          claude_args: '--allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"'
+          claude_args: '--allowed-tools "Bash(gh pr comment:*),Bash(gh pr view:*),Bash(gh pr diff:*)"'
+
+    concurrency:
+      group: claude-review-${{ github.event.pull_request.number }}
+      cancel-in-progress: true
+    timeout-minutes: 15

---

39-50: Prompt clarity is good; small tweak to avoid bot loops.

Ensure the review comment does not include “@claude” to prevent recursive triggers in the other workflow.

You can add to the prompt: “Do not include ‘@claude’ in your reply.”

---

54-54: YAML lint: trailing blank line.

Remove the final extra line.

-

---

1-5: Optional: add a manual dispatch for debugging.

Handy for testing without opening a PR.

Apply:

 on:
   pull_request:
     types: [opened, synchronize]
+  workflow_dispatch:

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4d9255c and 2e7ec4b.

📒 Files selected for processing (2)

• .github/workflows/claude-code-review.yml (1 hunks)
• .github/workflows/claude.yml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/claude-code-review.yml

[warning] 54-54: too many blank lines (1 > 0)

(empty-lines)

.github/workflows/claude.yml

[warning] 50-50: too many blank lines (1 > 0)

(empty-lines)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Analyze (typescript)
• GitHub Check: Analyze (javascript)
• GitHub Check: ci
• GitHub Check: ci
• GitHub Check: ci
• GitHub Check: ci

🔇 Additional comments (1)

.github/workflows/claude-code-review.yml (1)

3-5: Fork PRs: choose pull_request vs pull_request_target — do not execute fork code.

pull_request blocks writes from forked PRs; pull_request_target runs with base-repo permissions but must NOT checkout or run untrusted fork code — read the PR via gh (gh pr view/diff) or the REST API, or use a GitHub App token if you keep pull_request.

-on:
-  pull_request:
+on:
+  pull_request_target:
     types: [opened, synchronize]
@@
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
+      # Avoid checking out fork code; rely on gh to read PR context.

[coderabbitai]

⚠️ Potential issue

Write perms required for gh pr comment; otherwise the review can’t post.

Token is read‑only; the action won’t be able to leave feedback.

Apply:

     permissions:
-      contents: read
-      pull-requests: read
-      issues: read
-      id-token: write
+      contents: read
+      pull-requests: write   # needed to comment on PRs
+      issues: read
+      actions: read          # optional: let Claude read CI results
+      id-token: none

Note: For forked PRs, GitHub still restricts writes on pull_request. If you need commenting on forks, consider pull_request_target with strict safeguards (no checkout/run of fork code). See next comment.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	runs-on: ubuntu-latest
	permissions:
	contents: read
	pull-requests: read
	issues: read
	id-token: write
	runs-on: ubuntu-latest
	permissions:
	contents: read
	pull-requests: write # needed to comment on PRs
	issues: read
	actions: read # optional: let Claude read CI results
	id-token: none

🤖 Prompt for AI Agents

.github/workflows/claude-code-review.yml around lines 21-27: the workflow
currently grants read-only token permissions so `gh pr comment` cannot post;
update the permissions block to grant write permission for pull-requests (e.g.,
change pull-requests: read to pull-requests: write) so the action can post PR
comments, keep other permissions as needed, and if you must support commenting
on forked PRs consider switching to pull_request_target with strict safeguards
as noted.

[coderabbitai]

⚠️ Potential issue

Add authorization guard to truly limit triggers to users with write access.

Current condition only checks for “@claude” text; any external commenter can trigger runs. Gate by author_association and avoid bot loops.

Apply:

   claude:
-    if: |
-      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
-      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+    if: |
+      github.event.sender.type != 'Bot' && (
+        (github.event_name == 'issue_comment' &&
+          (contains(github.event.comment.body, '@claude') || contains(github.event.comment.body, '@Claude')) &&
+          (github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'COLLABORATOR')) ||
+        (github.event_name == 'pull_request_review_comment' &&
+          (contains(github.event.comment.body, '@claude') || contains(github.event.comment.body, '@Claude')) &&
+          (github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'COLLABORATOR')) ||
+        (github.event_name == 'pull_request_review' &&
+          (contains(github.event.review.body, '@claude') || contains(github.event.review.body, '@Claude')) &&
+          (github.event.review.author_association == 'OWNER' || github.event.review.author_association == 'MEMBER' || github.event.review.author_association == 'COLLABORATOR')) ||
+        (github.event_name == 'issues' &&
+          (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude') ||
+           contains(github.event.issue.body, '@Claude') || contains(github.event.issue.title, '@Claude')) &&
+          (github.event.issue.author_association == 'OWNER' || github.event.issue.author_association == 'MEMBER' || github.event.issue.author_association == 'COLLABORATOR'))
+      )

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if: |
	(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
	(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
	(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
	(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
	runs-on: ubuntu-latest
	if: |
	github.event.sender.type != 'Bot' && (
	(github.event_name == 'issue_comment' &&
	(contains(github.event.comment.body, '@claude') || contains(github.event.comment.body, '@Claude')) &&
	(github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'COLLABORATOR')) ||
	(github.event_name == 'pull_request_review_comment' &&
	(contains(github.event.comment.body, '@claude') || contains(github.event.comment.body, '@Claude')) &&
	(github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'COLLABORATOR')) ||
	(github.event_name == 'pull_request_review' &&
	(contains(github.event.review.body, '@claude') || contains(github.event.review.body, '@Claude')) &&
	(github.event.review.author_association == 'OWNER' || github.event.review.author_association == 'MEMBER' || github.event.review.author_association == 'COLLABORATOR')) ||
	(github.event_name == 'issues' &&
	(contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude') ||
	contains(github.event.issue.body, '@Claude') || contains(github.event.issue.title, '@Claude')) &&
	(github.event.issue.author_association == 'OWNER' || github.event.issue.author_association == 'MEMBER' || github.event.issue.author_association == 'COLLABORATOR'))
	)
	runs-on: ubuntu-latest

[coderabbitai]

⚠️ Potential issue

Grant minimal writes needed; current read-only perms block Claude from commenting.

To reply on PRs/issues or push branches, Claude needs write perms.

Apply:

     permissions:
-      contents: read
-      pull-requests: read
-      issues: read
-      id-token: write
-      actions: read # Required for Claude to read CI results on PRs
+      contents: write           # allow creating commits/branches only if you intend to
+      pull-requests: write      # needed for gh pr comment
+      issues: write             # needed for issue comments
+      actions: read             # read CI results
+      id-token: none

If you don’t want branch/commit writes here, keep contents: read and remove tools that write. Otherwise, keep contents: write.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	permissions:
	contents: read
	pull-requests: read
	issues: read
	id-token: write
	actions: read # Required for Claude to read CI results on PRs
	permissions:
	contents: write # allow creating commits/branches only if you intend to
	pull-requests: write # needed for gh pr comment
	issues: write # needed for issue comments
	actions: read # read CI results
	id-token: none

🤖 Prompt for AI Agents

In .github/workflows/claude.yml around lines 21–26 the workflow grants only read
permissions which prevents the bot from posting comments or pushing branches;
update the permissions to the minimal write privileges required (for example
change contents: read to contents: write and set pull-requests: write and/or
issues: write as needed), or alternatively remove any CI tools that require
write access and keep contents: read — ensure you grant only the specific write
scopes the workflow needs rather than global write.