Skip to content

Add Claude Code GitHub Workflow #132

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ghostwriternr merged 2 commits into from
Oct 22, 2025
Merged

Add Claude Code GitHub Workflow #132

ghostwriternr merged 2 commits into from
Oct 22, 2025

Conversation

@ghostwriternr
Copy link
Member

@ghostwriternr ghostwriternr commented Oct 22, 2025

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

  • Bug fixes and improvements
  • Documentation updates
  • Implementing new features
  • Code reviews and suggestions
  • Writing tests
  • And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

  • This workflow won't take effect until this PR is merged
  • @claude mentions won't work until after the merge is complete
  • The workflow runs automatically whenever Claude is mentioned in PR or issue comments
  • Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

  • Our Anthropic API key is securely stored as a GitHub Actions secret
  • Only users with write access to the repository can trigger the workflow
  • All Claude runs are stored in the GitHub Actions run history
  • Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
  • We can add more allowed tools by adding them to the workflow file like:
allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

@changeset-bot
Copy link

changeset-bot bot commented Oct 22, 2025

⚠️ No Changeset found

Latest commit: b947285

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@ghostwriternr ghostwriternr merged commit 104f455 into main Oct 22, 2025
6 checks passed
@ghostwriternr ghostwriternr deleted the add-claude-github-actions-1761153605248 branch October 22, 2025 17:20
@claude
Copy link
Contributor

claude bot commented Oct 22, 2025

Code Review - Claude Code GitHub Integration

Thank you for adding Claude Code integration! I have reviewed both workflow files.

Critical Issues That Must Be Fixed

1. Missing Write Permissions

Both workflows are missing required permissions to post comments:

.github/workflows/claude-code-review.yml:26 needs:

  • pull-requests: write (to post review comments)

.github/workflows/claude.yml:26 needs:

  • pull-requests: write (to comment on PRs)
  • issues: write (to comment on issues)

Without these permissions, Claude cannot respond to users or post reviews.

2. Security - Fork Vulnerability

The claude-code-review.yml runs on ALL PRs including forks, which could execute malicious code with your API key. Add this condition to the job:

if: github.event.pull_request.head.repo.full_name == github.repository

3. Rate Limiting

No concurrency controls - multiple @claude mentions could trigger parallel runs consuming API credits. Add to both workflows:

concurrency:
group: ${{ github.workflow }}-${{ github.event.issue.number || github.event.pull_request.number }}
cancel-in-progress: true

Recommendations

Tool Access: Consider expanding allowed_tools to include npm run test, npm run lint, npm run build for more thorough reviews

Documentation: Create .github/CLAUDE.md with repo-specific conventions and testing requirements

Cost Control: Consider triggering reviews only on specific labels or trusted authors

Testing: Validate in a test repository before merging to production

Fetch Depth: fetch-depth: 1 is fine for most PRs but consider fetch-depth: 0 for complex reviews needing full history

Positive Aspects

✅ Good use of GitHub secrets for API keys
✅ Minimal permissions model with explicit grants
✅ Clear workflow separation (automated review vs interactive)
✅ Proper checkout practices with actions/checkout@v4
✅ Thoughtful commented-out options for customization

Summary

This is a solid implementation with good security awareness. The main blockers are the missing write permissions and fork protection. Once those are addressed, this will be ready to merge.

The workflows follow GitHub Actions best practices and the PR description provides excellent documentation for users.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ghostwriternr