Add Claude Code GitHub Workflow

[martin-augment]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

Summary by CodeRabbit

• New Features
  • Added automated code review workflow that provides feedback on code quality, bugs, performance, security, and test coverage on pull requests.
  • Added integration to request Claude AI assistance via mentions in issues and pull request comments.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

Two new GitHub Actions workflows are introduced to enable Claude-powered code review and assistant capabilities. The first workflow performs automated code review on pull request events, while the second responds to Claude mentions in issue comments, PR review comments, and review events.

Changes

Cohort / File(s)	Summary
Claude Code Review Workflow \.github/workflows/claude-code-review\.yml	New workflow triggered on PR open/synchronize events that executes the Claude Code Review action, providing feedback on code quality, bugs, performance, security, and test coverage using repository style guidance. Configures GitHub CLI tools for access to PR data.
Claude Code Workflow \.github/workflows/claude\.yml	New workflow triggered on issue comments, PR review comments, and review events when @claude is mentioned. Executes the Claude Code Action with customizable prompts and arguments. Includes optional configuration for additional permissions and tool access.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Two workflows hop into place with care,
Claude now reviews your code with flair!
From PRs opened to comments with @mention true,
Automation whispers, "I'll help review for you!" 🚀

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch add-claude-github-actions-1761294917697

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d519bb8 and 7ed8068.

📒 Files selected for processing (2)

• .github/workflows/claude-code-review.yml (1 hunks)
• .github/workflows/claude.yml (1 hunks)

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[augmentcode]

Review completed. 3 suggestions posted.

[augmentcode]

gh pr comment will fail with read-only permissions; the job needs write access to post a review comment on the PR (at least pull-requests: write, and issues: write if it might comment on issues).

🤖 React with 👍 or 👎 to let us know if the comment was useful.

[augmentcode]

As written, this condition lets any commenter who mentions @claude trigger a run; this contradicts the PR note that only users with write access can trigger. Consider restricting by author_association (e.g., MEMBER/OWNER/COLLABORATOR) to avoid untrusted triggers.

🤖 React with 👍 or 👎 to let us know if the comment was useful.

[augmentcode]

If Claude is expected to reply by posting comments, read-only pull-requests/issues permissions will prevent it from commenting (403). Consider granting the minimal required write permissions for those scopes.

🤖 React with 👍 or 👎 to let us know if the comment was useful.

[claude]

Code Review: Add Claude Code GitHub Workflow

Summary

This PR adds two GitHub Actions workflows for Claude Code integration:

1. claude.yml - Enables @claude mentions in issues and PRs
2. claude-code-review.yml - Automated code reviews on PRs

Code Quality and Best Practices

Missing Apache License Headers ⚠️

Issue: Both workflow files are missing the Apache Software Foundation license headers that are standard across this repository.

All other workflow files in .github/workflows/ include the Apache License 2.0 header (lines 1-16). For consistency with the project's licensing requirements, both new files should include:

# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.

Reference: See .github/workflows/dev.yml:1-16 or .github/workflows/rust.yml:1-16

Concurrency Control Missing

Issue: Neither workflow defines concurrency groups, which is standard practice in this repository.

Other workflows use concurrency control to cancel in-progress runs when new commits are pushed:

concurrency:
  group: ${{ github.repository }}-${{ github.head_ref || github.sha }}-${{ github.workflow }}
  cancel-in-progress: true

This prevents wasting CI resources on outdated commits. Consider adding this to both workflows.

Reference: See .github/workflows/dev.yml:20-22

Checkout Action Version Inconsistency

Issue: Both workflows use actions/checkout@v4, but all other workflows in this repository use @v5.

For consistency and to get latest bug fixes, update to:

- uses: actions/checkout@v5

Reference: See .github/workflows/dev.yml:41, .github/workflows/rust.yml:39

Potential Issues

1. Submodule Handling (.github/workflows/claude-code-review.yml:31)

Issue: The checkout step uses fetch-depth: 1, but this repository requires git submodules for test data.

According to CONTRIBUTING.md:102-110, tests rely on submodules from parquet-testing and arrow-testing. The workflow should include:

- name: Checkout repository
  uses: actions/checkout@v5
  with:
    submodules: true

Without this, if Claude needs to run tests or access test data during reviews, it will fail.

2. Overly Broad Trigger Scope (.github/workflows/claude-code-review.yml:3-5)

Issue: The workflow runs on ALL PRs without any filtering.

The commented-out sections suggest awareness of this issue. For a Rust project of this scale (Apache Arrow), running automated AI reviews on every PR could:

• Generate excessive API costs
• Create noise for experienced contributors
• Slow down PR workflows

Recommendations:

1. Enable path filtering to focus on specific areas:

paths:
  - "arrow/**/*.rs"
  - "parquet/**/*.rs"
  - "arrow-flight/**/*.rs"

2. Or filter by contributor type:

if: github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'

3. Permissions Scope (.github/workflows/claude.yml:26)

Issue: The actions: read permission comment suggests Claude can read CI results, but the additional_permissions configuration (line 40-41) may be redundant.

The permission is already declared at the job level (line 26). The additional_permissions parameter in the action config might be unnecessary. Verify with the action documentation whether both are needed.

Performance Considerations

Claude Code Review Workflow Efficiency

The workflow uses fetch-depth: 1 for faster checkouts, which is good. However:

1. Token Budget: No timeout or token limit is specified. Long PRs could consume excessive resources.
2. Parallel Execution: Consider if reviews should skip when other CI checks are failing (saves resources).

Suggestion:

- name: Run Claude Code Review
  if: github.event.pull_request.draft == false
  timeout-minutes: 15

Security Concerns

1. Secret Handling ✅

Good: The workflow correctly uses GitHub Secrets for the OAuth token (${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}).

2. Permission Principle of Least Privilege ✅

Good: Permissions are explicitly scoped to read-only for most resources.

3. Write Access Restriction (.github/workflows/claude.yml:14-18)

Note: The conditional logic attempts to restrict execution, but the write access restriction mentioned in the PR description isn't explicitly enforced in the workflow file itself.

The condition checks for @claude mentions but doesn't verify user permissions. This might be handled by the action itself, but it's worth verifying that the action enforces write access requirements as described.

Test Coverage

Issue: No tests or validation for the workflows themselves.

Recommendations:

1. Test the workflow on a fork first before merging
2. Create a test PR to verify the Claude Code review actually runs
3. Document expected behavior in the PR description or a separate test plan

Additional Suggestions

1. Documentation

Consider adding a .github/CLAUDE.md file (as mentioned in the prompt) to provide Claude with:

• Project-specific coding standards
• Rust idioms preferred by this project
• Common pitfalls in Arrow/Parquet development
• Links to relevant Apache Arrow documentation

2. Rate Limiting

For a high-traffic Apache project, consider adding workflow_dispatch triggers to allow manual control alongside automated triggers.

3. File Path Comments

The prompt references checking for a CLAUDE.md file for style guidance, but this file doesn't exist in the repository. Creating one would improve review quality.

Verdict

Overall Assessment: This is a functional implementation with some gaps in repository conventions and potential resource usage concerns.

Required Changes:

1. ✅ Add Apache License headers to both files
2. ✅ Update checkout action to @v5 for consistency
3. ⚠️ Add submodules: true to checkout (critical for functionality)

Recommended Changes:

1. Add concurrency control
2. Add path filtering or contributor filtering to code-review workflow
3. Add timeout limits
4. Create .github/CLAUDE.md for style guidance
5. Test workflows before merging

Security: No security concerns identified. Secret handling is appropriate.

---

Review generated by Claude Code