Add Claude Code GitHub Workflow #453
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
![charliecreates[bot]](https://avatars.githubusercontent.com/in/1140780?s=60&v=4){kind=small}
There was a problem hiding this comment.
Workflow works, but 1) write permissions are missing, 2) action version is not pinned, and 3) adding a manual trigger would ease testing. Addressing these will prevent runtime failures and mitigate supply-chain risk.
Additional notes (1)
- Maintainability |
.github/workflows/claude.yml:3-12
This workflow lacksworkflow_dispatch(orworkflow_call) in theon:block, which means it can’t be triggered manually for testing or ad-hoc runs. While not strictly required, having a manual trigger is a common best-practice for new workflows so you can validate changes without spamming production events.
Summary of changes
Added Claude Code GitHub Actions workflow (.github/workflows/claude.yml)
- Declares a new workflow named Claude Code.
- Listens to several comment-related events (
issue_comment,pull_request_review_comment,pull_request_review, and selectedissuesevents). - Uses an
if:guard to run only when a@claudemention is present. - Checks out the repository with
actions/checkout@v4. - Executes
anthropics/claude-code-action@beta, passingsecrets.ANTHROPIC_API_KEY. - Grants minimal explicit permissions (
contents,pull-requests,issuesall read, plusid-token: write).
| permissions: | ||
| contents: read | ||
| pull-requests: read | ||
| issues: read | ||
| id-token: write |
There was a problem hiding this comment.
The action that powers Claude will need to write to the repository (e.g. opening PRs, committing changes, or posting comments). Granting only read permissions to contents and pull-requests is likely to cause authorization failures at runtime and defeats the purpose of the integration. Granting the minimal required write scopes keeps the principle of least privilege while still allowing Claude to function.
Suggestion
Update the permission block:
permissions:
contents: write # allow committing / pushing branches
pull-requests: write # allow creating / updating PRs
issues: write # allow commenting on issues/PRs
id-token: write # required for OIDCReply with "@CharlieHelps yes please" if you'd like me to add a commit with this suggestion.
|
|
||
| - name: Run Claude Code | ||
| id: claude | ||
| uses: anthropics/claude-code-action@beta |
There was a problem hiding this comment.
Pinning an action to a floating tag (@beta) introduces supply-chain risk because the referenced code can change unexpectedly. GitHub’s security guidance recommends pinning to a commit SHA or at least a versioned tag to guarantee immutability.
Suggestion
Replace anthropics/claude-code-action@beta with a specific version or SHA, e.g.:
uses: anthropics/claude-code-action@<commit-sha>Reply with "@CharlieHelps yes please" if you'd like me to add a commit with this suggestion.
🤖 Installing Claude Code GitHub App
This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.
What is Claude Code?
Claude Code is an AI coding agent that can help with:
How it works
Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.
Important Notes
Security
There's more information in the Claude Code documentation.
After merging this PR, let's try mentioning @claude in a comment on any PR to get started!