Add Claude Code GitHub Workflow

[tomasmach]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

Summary by CodeRabbit

• Chores
  • Enabled automated code review workflows for pull requests and comments.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Two new GitHub Actions workflows are introduced to automate code reviews using Claude. One triggers automatically on pull request opens and synchronizations, while the other enables on-demand reviews through @claude mentions in comments and reviews. Both workflows invoke the Claude Code Review action with configured OAuth tokens and customized prompts.

Changes

Cohort / File(s)

Summary

GitHub Actions Workflows for Claude Code Review .github/workflows/claude-code-review.yml, .github/workflows/claude.yml

Two new workflows added: (1) claude-code-review.yml — Automatic reviews on PR open/sync events using Claude action with focus on code quality, bugs, performance, security, and tests; (2) claude.yml — On-demand reviews triggered by @claude mentions in issue/PR comments and reviews, with conditional execution and configurable prompts. Both require OAuth token configuration and reference CLAUDE.md for style guidance.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Hop, hop! Code reviews now bloom,
When PRs land or comments loom,
Claude hops in with careful eyes,
Finding bugs to our surprise,
Quality and speed combine! ✨

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add Claude Code GitHub Workflow' clearly and concisely summarizes the main change: adding GitHub Actions workflows to integrate Claude Code, which is accurate based on the two new workflow files added.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

Fix all issues with AI Agents 🤖

In @.github/workflows/claude-code-review.yml:
- Around line 22-26: The workflow's permissions block only grants read access
and will prevent Claude from posting PR comments or creating branches/commits;
update the permissions map to set pull-requests: write and contents: write
(replace or add to the existing permissions entries shown, keeping id-token:
write and issues: read), so the gh pr comment call (referenced around line
invoking "gh pr comment") can succeed and Claude can create branches/commits as
required.
- Line 38: Add the missing repository secret CLAUDE_CODE_OAUTH_TOKEN (used by
claude-code-review.yml and claude.yml) via Settings → Secrets and variables →
Actions in GitHub so the workflow variable claude_code_oauth_token (${ {
secrets.CLAUDE_CODE_OAUTH_TOKEN } }) resolves at runtime; after creating the
secret, re-run the affected workflows to confirm they complete successfully.

In @.github/workflows/claude.yml:
- Around line 21-26: The workflow currently grants only read permissions; update
the permissions map so Claude can create comments, branches, and commits by
changing the values for contents, pull-requests, and issues from read to write
(i.e., set "contents: write", "pull-requests: write", "issues: write"); keep
"id-token: write" as-is and leave "actions: read" unless you intentionally need
additional actions permissions.

🧹 Nitpick comments (1)

.github/workflows/claude.yml (1)

40-41: Remove redundant additional_permissions setting.

The additional_permissions field at lines 40-41 grants actions: read, but this permission is already declared in the permissions block at line 26. The redundant declaration has no effect and can be removed for clarity.

🔎 Proposed refactor to remove redundancy

           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
 
-          # This is an optional setting that allows Claude to read CI results on PRs
-          additional_permissions: |
-            actions: read
-
           # Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f8d204b and 8e7483b.

📒 Files selected for processing (2)

• .github/workflows/claude-code-review.yml
• .github/workflows/claude.yml

🔇 Additional comments (3)

.github/workflows/claude-code-review.yml (1)

56-56: Consider adding write-capable tools to claude_args.

The allowed tools are limited to read-only gh commands (view, list, search, diff). Based on the instruction at line 52 to "Use gh pr comment", you should verify that Bash(gh pr comment:*) is included—which it is. However, if Claude needs to perform other write operations mentioned in the PR objectives (creating branches, commits), consider expanding the allowed tools accordingly.

.github/workflows/claude.yml (2)

15-19: Verify the conditional logic covers all intended trigger scenarios.

The condition checks for @claude mentions across multiple event types. Ensure this covers all the scenarios where you want Claude to respond. Note that line 19 checks both github.event.issue.body and github.event.issue.title for new/assigned issues, which is comprehensive.

However, verify whether you want Claude to respond to all newly opened issues or only those that explicitly mention @claude.

---

37-37: Ensure CLAUDE_CODE_OAUTH_TOKEN secret is configured in repository settings before merging.

The workflow requires this secret to authenticate with the Anthropic Claude Code Action, otherwise the workflow will fail at runtime. This secret is not documented in the repository—add setup instructions to SECURITY_CHECKLIST.md or README.md to guide future maintainers on generating and configuring this OAuth token.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Missing write permissions for PR comments.

The workflow grants only pull-requests: read permission, but line 52 instructs Claude to use gh pr comment to post review feedback on the PR. This will fail at runtime because commenting requires write access.

Additionally, per the PR objectives, Claude should be able to "create comments, branches, and commits." To support these capabilities, the workflow needs:

• pull-requests: write - to create PR comments
• contents: write - to create branches, commits, and write files

🔎 Proposed fix to grant necessary write permissions

     permissions:
       contents: read
-      pull-requests: read
+      pull-requests: write
       issues: read
       id-token: write

If Claude needs to create branches and commits (as stated in PR objectives), also add:

     permissions:
-      contents: read
+      contents: write
       pull-requests: write
       issues: read
       id-token: write

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	permissions:
	contents: read
	pull-requests: read
	issues: read
	id-token: write
	permissions:
	contents: write
	pull-requests: write
	issues: read
	id-token: write

🤖 Prompt for AI Agents

In @.github/workflows/claude-code-review.yml around lines 22-26, The workflow's
permissions block only grants read access and will prevent Claude from posting
PR comments or creating branches/commits; update the permissions map to set
pull-requests: write and contents: write (replace or add to the existing
permissions entries shown, keeping id-token: write and issues: read), so the gh
pr comment call (referenced around line invoking "gh pr comment") can succeed
and Claude can create branches/commits as required.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Check the content of the workflow file to understand context
cat -n .github/workflows/claude-code-review.yml

Repository: tomasmach/QuietPage

Length of output: 2413

---

🏁 Script executed:

# Search for documentation about secrets or setup in the repository
fd -t f -e md -e txt | xargs grep -l -i "secret\|CLAUDE_CODE_OAUTH" 2>/dev/null | head -20

Repository: tomasmach/QuietPage

Length of output: 99

---

🏁 Script executed:

# Check if there are other workflow files that might reference this secret
fd -t f -path ".github/workflows/*" -name "*.yml" -o -name "*.yaml"

Repository: tomasmach/QuietPage

Length of output: 231

---

🏁 Script executed:

# List files in .github/workflows directory
ls -la .github/workflows/

Repository: tomasmach/QuietPage

Length of output: 305

---

🏁 Script executed:

# Read README.md to check for setup instructions
cat README.md

Repository: tomasmach/QuietPage

Length of output: 3995

---

🏁 Script executed:

# Read SECURITY_CHECKLIST.md for setup guidance
cat docs/SECURITY_CHECKLIST.md

Repository: tomasmach/QuietPage

Length of output: 11153

---

🏁 Script executed:

cat -n .github/workflows/claude.yml

Repository: tomasmach/QuietPage

Length of output: 2298

---

The CLAUDE_CODE_OAUTH_TOKEN secret must be configured in repository settings before this PR can be merged.

Both workflows (claude-code-review.yml and claude.yml) depend on this secret. Without it, the GitHub Actions will fail at runtime. Add this secret via GitHub repository Settings > Secrets and variables > Actions, then re-run the workflows to verify they execute successfully.

🤖 Prompt for AI Agents

In @.github/workflows/claude-code-review.yml around line 38, Add the missing
repository secret CLAUDE_CODE_OAUTH_TOKEN (used by claude-code-review.yml and
claude.yml) via Settings → Secrets and variables → Actions in GitHub so the
workflow variable claude_code_oauth_token (${ { secrets.CLAUDE_CODE_OAUTH_TOKEN
} }) resolves at runtime; after creating the secret, re-run the affected
workflows to confirm they complete successfully.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Missing write permissions for Claude's intended capabilities.

According to the PR objectives, Claude should be able to "create comments, branches, and commits" and perform "bug fixes, documentation updates, new features." However, this workflow only grants read permissions.

To enable Claude's stated capabilities, you need:

• pull-requests: write - to create PR comments and reviews
• issues: write - to create issue comments
• contents: write - to create branches, commits, and write files

Without these permissions, Claude will fail when attempting any write operations.

🔎 Proposed fix to grant necessary write permissions

     permissions:
-      contents: read
-      pull-requests: read
-      issues: read
+      contents: write
+      pull-requests: write
+      issues: write
       id-token: write
       actions: read # Required for Claude to read CI results on PRs

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	permissions:
	contents: read
	pull-requests: read
	issues: read
	id-token: write
	actions: read # Required for Claude to read CI results on PRs
	permissions:
	contents: write
	pull-requests: write
	issues: write
	id-token: write
	actions: read # Required for Claude to read CI results on PRs

🤖 Prompt for AI Agents

In @.github/workflows/claude.yml around lines 21-26, The workflow currently
grants only read permissions; update the permissions map so Claude can create
comments, branches, and commits by changing the values for contents,
pull-requests, and issues from read to write (i.e., set "contents: write",
"pull-requests: write", "issues: write"); keep "id-token: write" as-is and leave
"actions: read" unless you intentionally need additional actions permissions.