Add Claude Code GitHub Workflow

[martin-augment]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

Summary by CodeRabbit

• Chores
  • Integrated automated code review workflow for pull requests, evaluating code quality, security, performance, and test coverage.
  • Added Claude AI-powered code assistance workflow that activates on pull requests and issues when mentioned.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

Two new GitHub Actions workflows are added to automate Claude-based code analysis: one for automated review on pull requests, and another for on-demand analysis triggered by "@claude" mentions in issue and PR comments.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflows .github/workflows/claude-code-review.yml, .github/workflows/claude.yml	Adds two new workflows: claude-code-review.yml triggers on PR events to run automated Claude code review with quality, security, and test coverage evaluation; claude.yml triggers on comments/reviews mentioning "@claude" to invoke Claude Code action on demand. Both configure necessary permissions and repository checkout.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify OAuth token and permission configurations are correctly specified
• Confirm trigger conditions (pull_request events vs. comment triggers with "@claude" filter) align with intended usage
• Check that claude_args and additional_permissions blocks properly expose GitHub CLI tools and actions access

Poem

🐰 Two workflows hop into place,
Claude reviews code at breakneck pace,
One on every PR that flies,
One on "@claude"—a speedy surprise!
With tokens and tools all set just right,
Code quality shines oh so bright! ✨

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch add-claude-github-actions-1761545365468

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8e6234c and 0b2ad0f.

📒 Files selected for processing (2)

• .github/workflows/claude-code-review.yml (1 hunks)
• .github/workflows/claude.yml (1 hunks)

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Code Review: Claude Code GitHub Workflow Integration

Thank you for setting up the Claude Code integration! I've reviewed the two workflow files and have the following feedback:

✅ Strengths

1. Security Best Practices:

   • Proper permission scoping with minimal required permissions (contents: read, pull-requests: read, etc.)
   • Uses id-token: write for OAuth token authentication
   • Restricts tool access appropriately with --allowed-tools parameter in code review workflow
   • Secret management through GitHub Actions secrets (CLAUDE_CODE_OAUTH_TOKEN)

2. Good Workflow Design:

   • Proper event filtering in claude.yml to only trigger on @claude mentions
   • Separate workflows for interactive mentions vs. automated code reviews
   • Clear documentation in PR description about when workflows activate

3. Consistency:

   • Uses actions/checkout@v4 consistent with other workflows in the repository
   • Follows naming conventions similar to existing workflows

🔧 Suggestions for Improvement

1. Missing Apache License Headers

All existing workflow files in this repository include Apache License headers (lines 1-16 in python.yml, rust.yml, etc.). The new workflows should follow this pattern:

File: .github/workflows/claude.yml
File: .github/workflows/claude-code-review.yml

Both files should start with:

# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.

2. Security: Missing Permission for PR Comments

In .github/workflows/claude-code-review.yml:22-26, the workflow needs pull-requests: write permission to post review comments. Currently it only has pull-requests: read, which will prevent Claude from commenting on PRs.

Current:

permissions:
  contents: read
  pull-requests: read  # ❌ Insufficient
  issues: read
  id-token: write

Should be:

permissions:
  contents: read
  pull-requests: write  # ✅ Required to post comments
  issues: read
  id-token: write

3. Security: Similar Issue in claude.yml

In .github/workflows/claude.yml:21-26, the same permission issue exists. If Claude needs to comment on issues or PRs, it needs write permissions:

Current:

permissions:
  contents: read
  pull-requests: read
  issues: read
  id-token: write
  actions: read

Should be:

permissions:
  contents: read
  pull-requests: write  # ✅ Required to post comments
  issues: write         # ✅ Required to comment on issues
  id-token: write
  actions: read

4. Performance: Code Review Workflow May Run Recursively

.github/workflows/claude-code-review.yml:4-5 triggers on pull_request: [opened, synchronize]. This means it will also trigger on THIS pull request that adds the workflow itself, creating a meta-situation. Consider:

• Adding the commented-out path filters (lines 6-11) to only run on code changes
• Or adding an explicit condition to skip the workflow for PRs that only modify workflow files
• Or accept this behavior as it could be useful for validating the workflow setup

5. Documentation Reference Issue

.github/workflows/claude-code-review.yml:50 references CLAUDE.md for style guidance, but this file doesn't exist in the repository. Options:

• Remove this line from the prompt
• Create a CLAUDE.md file with coding conventions
• Reference the existing docs/contributors-guide.md instead

6. Consistency with Existing Workflows

Consider adding concurrency groups to prevent multiple Claude runs from conflicting, similar to how it's done in python.yml:35-37:

concurrency:
  group: ${{ github.repository }}-${{ github.ref }}-${{ github.workflow }}
  cancel-in-progress: true

🐛 Potential Bugs

1. Permission Error: The workflows will fail to post comments due to insufficient permissions (see 241: Plumb remaining parameters for ST_Buffer #2 and 97: feat(python/sedonadb): Expose random_geometry as a Python function #3 above)
2. Missing CLAUDE.md: References non-existent file (see 245: feat(sql): Implement ST_StartPoint() and ST_EndPoint() #5 above)

🔒 Security Concerns

1. Write Access Control: The PR description states "Only users with write access to the repository can trigger the workflow" - this is correct for the interactive workflow (claude.yml) but the auto-review workflow (claude-code-review.yml) will run on ALL PRs, including those from external contributors. Consider:

   • Using the commented-out author filter (lines 15-19) to limit auto-reviews
   • Or accepting this as intended behavior for providing helpful reviews to all contributors

2. Tool Restrictions: Good that you've limited tools in claude-code-review.yml:56. Consider if claude.yml also needs claude_args with tool restrictions for security.

📊 Test Coverage

• No tests are included, which is expected for GitHub Actions workflows
• Manual testing will be required after merge by mentioning @claude in a PR/issue

🎯 Summary

Priority Issues to Address:

1. ❗ HIGH: Add pull-requests: write and issues: write permissions
2. ❗ HIGH: Add Apache License headers to both files
3. 🔸 MEDIUM: Remove or fix the CLAUDE.md reference
4. 🔹 LOW: Consider adding concurrency groups
5. 🔹 LOW: Consider security implications of auto-reviewing all PRs

Overall Assessment: This is a solid implementation with good security practices. The main blockers are the missing write permissions and license headers. Once those are addressed, this should work well!