Skip to content

Add Claude Code GitHub Workflow #196

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
cblanc wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add Claude Code GitHub Workflow #196

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0b3f269
"Claude PR Assistant workflow"
cblanc Sep 17, 2025
2e7ec4b
"Claude Code Review workflow"
cblanc Sep 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 54 additions & 0 deletions .github/workflows/claude-code-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
name: Claude Code Review

on:
pull_request:
types: [opened, synchronize]
# Optional: Only run on specific file changes
# paths:
# - "src/**/*.ts"
# - "src/**/*.tsx"
# - "src/**/*.js"
# - "src/**/*.jsx"

jobs:
claude-review:
# Optional: Filter by PR author
# if: |
# github.event.pull_request.user.login == 'external-contributor' ||
# github.event.pull_request.user.login == 'new-developer' ||
# github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'

runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
issues: read
id-token: write

Comment on lines +21 to +27
Copy link

@coderabbitai coderabbitai bot Sep 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Write perms required for gh pr comment; otherwise the review can’t post.

Token is read‑only; the action won’t be able to leave feedback.

Apply:

     permissions:
-      contents: read
-      pull-requests: read
-      issues: read
-      id-token: write
+      contents: read
+      pull-requests: write   # needed to comment on PRs
+      issues: read
+      actions: read          # optional: let Claude read CI results
+      id-token: none

Note: For forked PRs, GitHub still restricts writes on pull_request. If you need commenting on forks, consider pull_request_target with strict safeguards (no checkout/run of fork code). See next comment.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
issues: read
id-token: write
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write # needed to comment on PRs
issues: read
actions: read # optional: let Claude read CI results
id-token: none
🤖 Prompt for AI Agents 
.github/workflows/claude-code-review.yml around lines 21-27: the workflow
currently grants read-only token permissions so `gh pr comment` cannot post;
update the permissions block to grant write permission for pull-requests (e.g.,
change pull-requests: read to pull-requests: write) so the action can post PR
comments, keep other permissions as needed, and if you must support commenting
on forked PRs consider switching to pull_request_target with strict safeguards
as noted.

steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1

- name: Run Claude Code Review
id: claude-review
uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt: |
Please review this pull request and provide feedback on:
- Code quality and best practices
- Potential bugs or issues
- Performance considerations
- Security concerns
- Test coverage

Use the repository's CLAUDE.md for guidance on style and conventions. Be constructive and helpful in your feedback.

Use `gh pr comment` with your Bash tool to leave your review as a comment on the PR.

# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
# or https://docs.anthropic.com/en/docs/claude-code/sdk#command-line for available options
claude_args: '--allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"'

50 changes: 50 additions & 0 deletions .github/workflows/claude.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
name: Claude Code

on:
issue_comment:
types: [created]
pull_request_review_comment:
types: [created]
issues:
types: [opened, assigned]
pull_request_review:
types: [submitted]

jobs:
claude:
if: |
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
runs-on: ubuntu-latest
Comment on lines +15 to +20
Copy link

@coderabbitai coderabbitai bot Sep 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Add authorization guard to truly limit triggers to users with write access.

Current condition only checks for “@claude” text; any external commenter can trigger runs. Gate by author_association and avoid bot loops.

Apply:

   claude:
-    if: |
-      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
-      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+    if: |
+      github.event.sender.type != 'Bot' && (
+        (github.event_name == 'issue_comment' &&
+          (contains(github.event.comment.body, '@claude') || contains(github.event.comment.body, '@Claude')) &&
+          (github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'COLLABORATOR')) ||
+        (github.event_name == 'pull_request_review_comment' &&
+          (contains(github.event.comment.body, '@claude') || contains(github.event.comment.body, '@Claude')) &&
+          (github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'COLLABORATOR')) ||
+        (github.event_name == 'pull_request_review' &&
+          (contains(github.event.review.body, '@claude') || contains(github.event.review.body, '@Claude')) &&
+          (github.event.review.author_association == 'OWNER' || github.event.review.author_association == 'MEMBER' || github.event.review.author_association == 'COLLABORATOR')) ||
+        (github.event_name == 'issues' &&
+          (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude') ||
+           contains(github.event.issue.body, '@Claude') || contains(github.event.issue.title, '@Claude')) &&
+          (github.event.issue.author_association == 'OWNER' || github.event.issue.author_association == 'MEMBER' || github.event.issue.author_association == 'COLLABORATOR'))
+      )
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if: |
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
runs-on: ubuntu-latest
if: |
github.event.sender.type != 'Bot' && (
(github.event_name == 'issue_comment' &&
(contains(github.event.comment.body, '@claude') || contains(github.event.comment.body, '@Claude')) &&
(github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'COLLABORATOR')) ||
(github.event_name == 'pull_request_review_comment' &&
(contains(github.event.comment.body, '@claude') || contains(github.event.comment.body, '@Claude')) &&
(github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'COLLABORATOR')) ||
(github.event_name == 'pull_request_review' &&
(contains(github.event.review.body, '@claude') || contains(github.event.review.body, '@Claude')) &&
(github.event.review.author_association == 'OWNER' || github.event.review.author_association == 'MEMBER' || github.event.review.author_association == 'COLLABORATOR')) ||
(github.event_name == 'issues' &&
(contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude') ||
contains(github.event.issue.body, '@Claude') || contains(github.event.issue.title, '@Claude')) &&
(github.event.issue.author_association == 'OWNER' || github.event.issue.author_association == 'MEMBER' || github.event.issue.author_association == 'COLLABORATOR'))
)
runs-on: ubuntu-latest

permissions:
contents: read
pull-requests: read
issues: read
id-token: write
actions: read # Required for Claude to read CI results on PRs
Comment on lines +21 to +26
Copy link

@coderabbitai coderabbitai bot Sep 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Grant minimal writes needed; current read-only perms block Claude from commenting.

To reply on PRs/issues or push branches, Claude needs write perms.

Apply:

     permissions:
-      contents: read
-      pull-requests: read
-      issues: read
-      id-token: write
-      actions: read # Required for Claude to read CI results on PRs
+      contents: write           # allow creating commits/branches only if you intend to
+      pull-requests: write      # needed for gh pr comment
+      issues: write             # needed for issue comments
+      actions: read             # read CI results
+      id-token: none

If you don’t want branch/commit writes here, keep contents: read and remove tools that write. Otherwise, keep contents: write.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
contents: read
pull-requests: read
issues: read
id-token: write
actions: read # Required for Claude to read CI results on PRs
permissions:
contents: write # allow creating commits/branches only if you intend to
pull-requests: write # needed for gh pr comment
issues: write # needed for issue comments
actions: read # read CI results
id-token: none
🤖 Prompt for AI Agents 
In .github/workflows/claude.yml around lines 21–26 the workflow grants only read
permissions which prevents the bot from posting comments or pushing branches;
update the permissions to the minimal write privileges required (for example
change contents: read to contents: write and set pull-requests: write and/or
issues: write as needed), or alternatively remove any CI tools that require
write access and keep contents: read — ensure you grant only the specific write
scopes the workflow needs rather than global write.

steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1

- name: Run Claude Code
id: claude
uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}

# This is an optional setting that allows Claude to read CI results on PRs
additional_permissions: |
actions: read

# Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.
# prompt: 'Update the pull request description to include a summary of changes.'

# Optional: Add claude_args to customize behavior and configuration
# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
# or https://docs.anthropic.com/en/docs/claude-code/sdk#command-line for available options
# claude_args: '--model claude-opus-4-1-20250805 --allowed-tools Bash(gh pr:*)'

Loading