Skip to content

Add Claude Code GitHub Workflow #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
craftzdog merged 2 commits into from
Nov 17, 2025
Merged

Add Claude Code GitHub Workflow #3

craftzdog merged 2 commits into from
Nov 17, 2025

Conversation

@craftzdog
Copy link
Contributor

@craftzdog craftzdog commented Nov 17, 2025

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

  • Bug fixes and improvements
  • Documentation updates
  • Implementing new features
  • Code reviews and suggestions
  • Writing tests
  • And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

  • This workflow won't take effect until this PR is merged
  • @claude mentions won't work until after the merge is complete
  • The workflow runs automatically whenever Claude is mentioned in PR or issue comments
  • Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

  • Our Anthropic API key is securely stored as a GitHub Actions secret
  • Only users with write access to the repository can trigger the workflow
  • All Claude runs are stored in the GitHub Actions run history
  • Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
  • We can add more allowed tools by adding them to the workflow file like:
allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

@craftzdog craftzdog merged commit 3b51e6c into main Nov 17, 2025
9 checks passed
@craftzdog craftzdog deleted the add-claude-github-actions-1763348191992 branch November 17, 2025 02:57
@claude
Copy link

claude bot commented Nov 17, 2025

Code Review: Claude Code GitHub Workflow Update

Thank you for updating the Claude Code GitHub Actions workflows! Overall, this is a good modernization that migrates from the beta version to v1 and switches from API key authentication to OAuth tokens. Here's my detailed review:

Positive Changes

  1. Migration to v1 release: Moving from @beta to @v1 is the right choice for production stability
  2. OAuth token authentication: Switching from anthropic_api_key to claude_code_oauth_token follows current best practices
  3. Cleaner configuration: Removed excessive commented-out examples, making the workflows easier to read
  4. Whitespace cleanup: Fixed trailing whitespace issues (lines 20, 26 in claude-code-review.yml)
  5. Added actions permission: The actions: read permission in claude.yml allows Claude to read CI results, which is useful

🔍 Code Quality & Best Practices

Good:

  • Proper use of GitHub Actions permissions with least-privilege principle
  • Clear documentation in comments and PR description
  • Consistent formatting and structure

Suggestions:

  1. Missing permissions in claude-code-review.yml: The claude-code-review.yml workflow might also benefit from the actions: read permission if Claude needs to check CI status during automated reviews. Consider adding it for consistency:

    permissions:
  contents: read
  pull-requests: read
  issues: read
  id-token: write
  actions: read  # Allow Claude to read CI results

  2. Missing additional_permissions in claude-code-review.yml: If you add actions: read permission, you should also add the additional_permissions section like in claude.yml

🐛 Potential Issues

  1. Secret requirement not documented: The PR description mentions storing the Anthropic API key as a secret, but the workflows now use CLAUDE_CODE_OAUTH_TOKEN. The description should be updated to reflect this change and provide instructions on how to obtain and configure the OAuth token.

  2. Fetch depth: Both workflows use fetch-depth: 1, which is a shallow clone. This might limit Claude's ability to:

    • Review commit history
    • Understand context from previous commits
    • Run git-based operations that need history

    Consider if this is intentional for performance, or if a deeper history might be beneficial for code reviews.

🔒 Security Considerations

Good:

  • claude_args properly restricts tools to specific gh commands with wildcards
  • OAuth token is stored as a secret (not hardcoded)
  • Permissions are explicitly declared and minimal

Recommendations:

  1. Token rotation: Ensure there's a process for rotating the CLAUDE_CODE_OAUTH_TOKEN secret
  2. Audit logs: Monitor GitHub Actions logs for unexpected Claude invocations
  3. Branch protection: Consider requiring review/approval for changes to these workflow files

Performance Considerations

  • fetch-depth: 1 is good for performance
  • Running on ubuntu-latest is appropriate
  • The automated review workflow triggers on opened and synchronize, which is reasonable and won't create excessive runs

🧪 Test Coverage

Missing:

  • No way to test these workflows before merging (as noted in the PR description)
  • Consider creating a test PR in a fork or test repository to validate the workflows work with the new OAuth token

Recommendation:

  • Add a comment in the workflow files about how to test changes (e.g., in a fork or with a specific label)

📝 Documentation Updates Needed

  1. Update PR description: Change references from "Anthropic API key" to "Claude Code OAuth token" with instructions on how to obtain it
  2. Add to README.md: Consider documenting the Claude Code integration in the README, mentioning:
    • How to use @claude mentions
    • What Claude can help with
    • Link to the workflow files
  3. CLAUDE.md alignment: The workflows reference CLAUDE.md for guidance, which is good practice

🎯 Specific Line Comments

claude-code-review.yml:56

claude_args: '--allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"'

Consider if you want to allow other safe tools like:

  • Bash(npm run lint) - To check linting issues
  • Bash(npm run typecheck) - To verify type errors
  • Bash(npm run test) - To run tests (though this might be better done in CI first)

Summary

This is a solid update that modernizes the Claude Code integration. The main action items before merging:

  1. ✅ Update PR description to reference OAuth token instead of API key
  2. 🤔 Consider adding actions: read permission to claude-code-review.yml
  3. 📚 Document the OAuth token setup process
  4. 🧪 Test in a safe environment if possible

The code changes themselves are clean and follow best practices. Once the documentation is updated and the OAuth token is properly configured as a secret, this should work well!

Generated via Claude Code automated review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@craftzdog