Add Claude Code GitHub Workflow #1
Conversation
There was a problem hiding this comment.
Pull request overview
Adds GitHub Actions workflows to integrate Claude Code into the repository for interactive assistance and automated PR reviews.
Changes:
- Adds an
@claude-triggered workflow for issue/PR comment and review events. - Adds a PR-triggered workflow intended to run a Claude-based code review plugin on pull requests.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
.github/workflows/claude.yml |
Introduces an @claude mention-triggered workflow that runs the Claude Code action on comments/reviews/issues. |
.github/workflows/claude-code-review.yml |
Introduces an automatic PR workflow to run a Claude Code Review plugin on PR lifecycle events. |
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | ||
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) |
There was a problem hiding this comment.
The workflow can be triggered by any commenter who includes "@claude" (issue comments, PR review comments, PR reviews) and by anyone opening an issue with "@claude" in the title/body. This contradicts the PR description’s claim that only users with write access can trigger the workflow and is a security risk because it allows untrusted users to run the action (and potentially access repository context/secrets). Add an author trust check to the if: condition (e.g., restrict to OWNER/MEMBER/COLLABORATOR or a maintained allowlist) for each event type you support.
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | |
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) | |
| (github.event_name == 'issue_comment' && | |
| contains(github.event.comment.body, '@claude') && | |
| contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) | |
| ) || | |
| (github.event_name == 'pull_request_review_comment' && | |
| contains(github.event.comment.body, '@claude') && | |
| contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) | |
| ) || | |
| (github.event_name == 'pull_request_review' && | |
| contains(github.event.review.body, '@claude') && | |
| contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association) | |
| ) || | |
| (github.event_name == 'issues' && | |
| (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) && | |
| contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association) | |
| ) |
| permissions: | ||
| contents: read | ||
| pull-requests: read | ||
| issues: read | ||
| id-token: write | ||
| actions: read # Required for Claude to read CI results on PRs |
There was a problem hiding this comment.
The job-level permissions are read-only for contents, pull-requests, and issues, but the PR description states Claude can create comments/branches/commits. With the current permissions, the workflow will not be able to post comments or push changes via GITHUB_TOKEN. Update the workflow permissions to match the intended capabilities (e.g., at least issues: write / pull-requests: write, and only add contents: write if you actually want Claude to be able to push commits).
| name: Claude Code | ||
|
|
||
| on: | ||
| issue_comment: | ||
| types: [created] |
There was a problem hiding this comment.
Repository convention: other workflows start with a YAML document header and quote the on key (e.g., .github/workflows/ci.yml:1-5, .github/workflows/copilot-setup-steps.yml:1-6). To keep workflow files consistent (and avoid YAML tooling edge cases around on), consider adding --- and using "on": here as well.
| on: | ||
| pull_request: | ||
| types: [opened, synchronize, ready_for_review, reopened] | ||
| # Optional: Only run on specific file changes |
There was a problem hiding this comment.
This workflow runs on every PR open/sync/etc (no if: gating), which doesn’t match the PR description’s behavior of running only when someone mentions @claude in a comment. If the intent is “on-demand via mention”, add an if: filter (or change triggers) so you don’t run Claude on all PRs by default.
| - name: Run Claude Code Review | ||
| id: claude-review | ||
| uses: anthropics/claude-code-action@v1 | ||
| with: | ||
| claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | ||
| plugin_marketplaces: 'https://github.com/anthropics/claude-code.git' | ||
| plugins: 'code-review@claude-code-plugins' | ||
| prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}' |
There was a problem hiding this comment.
This workflow uses secrets.CLAUDE_CODE_OAUTH_TOKEN on the pull_request event. For PRs from forks, GitHub does not provide repository secrets, so this job will fail noisily on external contributions. Add an if: guard to skip forks (e.g., only run when github.event.pull_request.head.repo.full_name == github.repository) or otherwise handle the missing secret case explicitly.
| name: Claude Code Review | ||
|
|
||
| on: | ||
| pull_request: | ||
| types: [opened, synchronize, ready_for_review, reopened] | ||
| # Optional: Only run on specific file changes |
There was a problem hiding this comment.
Repository convention: other workflows include a YAML document header and quote the on key (e.g., .github/workflows/ci.yml:1-5, .github/workflows/copilot-setup-steps.yml:1-6). Consider adding --- and using "on": here for consistency with the rest of the repo’s workflows.
|
@copilot open a new pull request to apply changes based on the comments in this thread |
🤖 Installing Claude Code GitHub App
This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.
What is Claude Code?
Claude Code is an AI coding agent that can help with:
How it works
Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.
Important Notes
Security
There's more information in the Claude Code action repo.
After merging this PR, let's try mentioning @claude in a comment on any PR to get started!