Add Claude Code GitHub Workflow

[PrzemyslawKlys]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

[claude]

Code Review - PR #515: Add Claude Code GitHub Workflow

Thank you for this contribution! I've reviewed the PR and have the following feedback:

✅ Positives

1. Well-structured workflows: Both workflow files follow GitHub Actions best practices with clear job names and proper permissions
2. Good documentation: The PR description thoroughly explains what Claude Code is and how it works
3. Security-conscious: Properly uses secrets for the OAuth token and includes appropriate permission scopes
4. Flexible configuration: The commented-out sections in claude-code-review.yml provide good examples for future customization

📋 Code Quality & Best Practices

claude-code-review.yml:

• ✅ Uses actions/checkout@v4 (latest stable version)
• ✅ Proper permissions defined (contents: read, pull-requests: read, etc.)
• ✅ fetch-depth: 1 for performance optimization
• ✅ Clear, descriptive job and step names

claude.yml:

• ✅ Comprehensive trigger conditions covering multiple event types
• ✅ Proper conditional logic to filter for @claude mentions
• ✅ Includes actions: read permission for CI result access
• ✅ Clean structure with helpful comments

🐛 Potential Issues

1. Missing workflow permissions (.github/workflows/claude-code-review.yml:26):

   • The workflow has pull-requests: read but may need pull-requests: write if Claude needs to comment on PRs
   • Consider adding pull-requests: write to the permissions block

2. Security consideration (.github/workflows/claude.yml:14-18):

   • The conditional logic checks for @claude mentions but doesn't validate user permissions
   • Consider adding explicit permission check for author_association

3. Consistency with existing workflows:

   • Your existing ci.yml uses fetch-depth: 0 for full history
   • The Claude workflows use fetch-depth: 1 for shallow clones
   • This is fine for Claude's use case, but worth noting the difference

🔒 Security Concerns

1. Secret management: ✅ OAuth token properly stored as a GitHub secret
2. Allowed tools: ✅ The claude-code-review.yml explicitly limits tools to safe gh commands
3. Tool permissions: ⚠️ The claude.yml workflow doesn't specify allowed_tools, which means Claude gets access to default tools. Consider explicitly defining allowed tools here as well for consistency and security

⚡ Performance Considerations

1. Workflow efficiency: Both workflows are well-optimized
2. Fetch depth: Using fetch-depth: 1 is appropriate for Claude's needs
3. Timeout: No timeout specified - consider adding timeout-minutes: 30 to prevent runaway workflows

🧪 Test Coverage

Missing test validation:

• No tests exist for these workflows
• Consider adding a test workflow or manual testing steps in the PR description
• Recommendation: After merge, test with a simple @claude mention to verify it works

📝 Suggestions for Improvement

1. Add workflow timeouts (timeout-minutes: 30)
2. Add explicit tool allowlist to claude.yml for consistency
3. Consider adding a concurrency group to prevent multiple Claude instances running simultaneously
4. Add CODEOWNERS or branch protection to ensure the OAuth token secret is properly protected

🎯 Verdict

This is a solid implementation that follows GitHub Actions best practices. The main improvements would be around explicit security boundaries and workflow timeouts. The code is production-ready with minor enhancements recommended above.

Recommendation: ✅ Approve with optional improvements

---

Review generated by Claude Code

[Copilot]

Pull request overview

This PR adds two GitHub Actions workflows to enable Claude Code AI integration in the repository. The first workflow (claude.yml) allows users to mention @claude in PR or issue comments to trigger Claude actions. The second workflow (claude-code-review.yml) automatically runs Claude code reviews on all opened or synchronized pull requests.

Key Changes:

• Added interactive Claude Code workflow triggered by @claude mentions in comments
• Added automatic Claude Code Review workflow that runs on every PR
• Both workflows use the anthropics/claude-code-action@v1 action with OAuth token authentication

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 10 comments.

File	Description
.github/workflows/claude.yml	Main workflow for interactive Claude mentions in comments, includes triggers for issue comments, PR review comments, and issue events
.github/workflows/claude-code-review.yml	Automatic code review workflow that runs on PR open/sync events, configured with specific gh CLI tool permissions and review prompts

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The PR description mentions that "Our Anthropic API key is securely stored" but the workflow uses 'claude_code_oauth_token' not an API key. This is a minor terminology inconsistency - the description should refer to "OAuth token" rather than "API key" to match the actual secret name being used.

Suggested change

	claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
	claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} # Our Anthropic OAuth token is securely stored

[Copilot]

The workflow will run automatically on every PR opened or updated, which could consume API quota quickly and add costs. Consider uncommenting and configuring the filters on lines 16-19 to limit when automatic reviews run (e.g., only for first-time contributors or specific authors), or add path filters on lines 6-11 to only review specific file types.

[Copilot]

The workflow requires GITHUB_TOKEN to be passed to the gh CLI for commands like 'gh pr comment' to work. The claude_args specify Bash tools using gh commands, but there's no environment variable or configuration passing GITHUB_TOKEN to the Claude action. Add 'GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}' to the environment configuration for the action step.

[Copilot]

The workflow has read-only permissions for contents but the PR description states that Claude can create branches and commits. To enable Claude to make changes to the repository (create branches, commits), the 'contents' permission should be set to 'write' instead of 'read'.

Suggested change

	contents: read
	contents: write

[Copilot]

The workflow should include 'pull-requests: write' permission to allow Claude to comment on the PR with its review. Currently it only has 'read' permission which would prevent Claude from posting review comments.

Suggested change

	pull-requests: read
	pull-requests: write

[Copilot]

The workflow lacks a permission check to restrict execution to users with write access. The PR description states "Only users with write access to the repository can trigger the workflow" but there's no condition in the workflow to enforce this. Consider adding a condition to check github.event.comment.author_association or github.actor permissions to prevent unauthorized users from triggering Claude actions.

Suggested change

	(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
	(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
	(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
	(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
	(
	github.event_name == 'issue_comment' &&
	contains(github.event.comment.body, '@claude') &&
	(github.event.comment.author_association == 'OWNER' ||
	github.event.comment.author_association == 'MEMBER' ||
	github.event.comment.author_association == 'COLLABORATOR')
	) ||
	(
	github.event_name == 'pull_request_review_comment' &&
	contains(github.event.comment.body, '@claude') &&
	(github.event.comment.author_association == 'OWNER' ||
	github.event.comment.author_association == 'MEMBER' ||
	github.event.comment.author_association == 'COLLABORATOR')
	) ||
	(
	github.event_name == 'pull_request_review' &&
	contains(github.event.review.body, '@claude') &&
	(github.event.review.user.author_association == 'OWNER' ||
	github.event.review.user.author_association == 'MEMBER' ||
	github.event.review.user.author_association == 'COLLABORATOR')
	) ||
	(
	github.event_name == 'issues' &&
	(contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) &&
	(github.event.issue.user.author_association == 'OWNER' ||
	github.event.issue.user.author_association == 'MEMBER' ||
	github.event.issue.user.author_association == 'COLLABORATOR')
	)

[Copilot]

The fetch-depth is set to 1 which only fetches the latest commit. For a code review workflow that needs to analyze PR diffs and changes, consider setting fetch-depth to 0 or at least 2 to ensure Claude has access to the base branch and PR changes for meaningful comparison.

Suggested change

	fetch-depth: 1
	fetch-depth: 0

[Copilot]

The workflow should include 'pull-requests: write' permission to allow Claude to comment on pull requests. Currently it only has 'read' permission which would prevent Claude from creating comments or interacting with PRs as intended.

Suggested change

	pull-requests: read
	pull-requests: write

[Copilot]

The workflow needs 'issues: write' permission to allow Claude to comment on issues. Currently it only has 'read' permission which would prevent Claude from creating comments on issues as intended.

Suggested change

	issues: read
	issues: write

[Copilot]

The prompt references "the repository's CLAUDE.md" for guidance on style and conventions, but this file does not exist in the repository. Either create this file or update the prompt to reference existing documentation like readme.md.

Suggested change

	Use the repository's CLAUDE.md for guidance on style and conventions. Be constructive and helpful in your feedback.
	Use the repository's readme.md for guidance on style and conventions. Be constructive and helpful in your feedback.