Skip to content

Add Claude Code GitHub Workflow#405

Merged
wshobson merged 2 commits intomainfrom
add-claude-github-actions-1767129589509
Dec 30, 2025
Merged

Add Claude Code GitHub Workflow#405
wshobson merged 2 commits intomainfrom
add-claude-github-actions-1767129589509

Conversation

@wshobson
Copy link
Owner

@wshobson wshobson commented Dec 30, 2025

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

  • Bug fixes and improvements
  • Documentation updates
  • Implementing new features
  • Code reviews and suggestions
  • Writing tests
  • And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

  • This workflow won't take effect until this PR is merged
  • @claude mentions won't work until after the merge is complete
  • The workflow runs automatically whenever Claude is mentioned in PR or issue comments
  • Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

  • Our Anthropic API key is securely stored as a GitHub Actions secret
  • Only users with write access to the repository can trigger the workflow
  • All Claude runs are stored in the GitHub Actions run history
  • Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
  • We can add more allowed tools by adding them to the workflow file like:
allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

@wshobson wshobson merged commit e343625 into main Dec 30, 2025
1 check passed
@claude
Copy link

claude bot commented Dec 30, 2025

Code Review: Claude Code GitHub Workflow Integration

Thanks for adding Claude Code integration! Here's my review of the implementation:

Overall Assessment

Status: Good implementation with solid security practices. Some recommendations for follow-up improvements.

Strengths

Security-Conscious Permissions

  • Both workflows use minimal required permissions (read-only for most resources)
  • Proper use of id-token: write for OIDC authentication
  • Tool restrictions in claude-code-review.yml limit potential security risks

Well-Structured Workflows

  • Two complementary approaches: automatic reviews + on-demand assistance
  • Clear inline documentation and comments
  • Proper use of conditional logic to filter @claude mentions

Performance Optimizations

  • Uses fetch-depth: 1 for faster checkouts
  • Appropriate trigger filtering to avoid unnecessary runs

Community Governance

  • Excellent addition of CODE_OF_CONDUCT.md, CONTRIBUTING.md, and issue templates
  • Shows good project stewardship

Recommendations for Follow-up

1. Missing Documentation Reference

.github/workflows/claude-code-review.yml:26

Use the repository's CLAUDE.md for guidance on style and conventions.

The workflow references a CLAUDE.md file that doesn't exist in the repository. Consider adding this file with:

  • Code style guidelines
  • Architectural patterns
  • Review priorities specific to this project

2. Tool Restrictions Inconsistency

.github/workflows/claude.yml has no tool restrictions (the claude_args line is commented out), while claude-code-review.yml has explicit restrictions. For security consistency, consider adding similar restrictions to claude.yml:

claude_args: '--allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"'

Or expand allowed tools based on your trust level and use case.

3. Secret Setup Documentation

Add documentation (perhaps in README.md or a new SETUP.md) explaining how to:

  • Obtain the CLAUDE_CODE_OAUTH_TOKEN
  • Configure it as a GitHub Actions secret
  • Verify the integration is working

4. Cost Control Considerations

The claude-code-review.yml workflow runs on every PR open/synchronize event. Consider:

  • Adding path filters to only review code files (uncomment the paths section)
  • Limiting to specific branches
  • Adding manual approval requirements for external contributors

Example:

paths:
  - "src/**/*.ts"
  - "src/**/*.tsx"
  - "src/**/*.js"
  - "src/**/*.jsx"
  - "**/*.go"
  - "**/*.py"

5. Self-Trigger Prevention

Add logic to prevent Claude from triggering itself in a loop:

if: |
  github.actor != 'github-actions[bot]' &&
  ((github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || ...)

6. Error Handling

Neither workflow includes failure handling. Consider adding a final step:

- name: Notify on failure
  if: failure()
  run: |
    echo "Claude Code workflow failed"
    # Add Slack notification or similar

7. Deeper Git History

fetch-depth: 1 limits context for reviews. For more comprehensive analysis, consider increasing this for the review workflow:

fetch-depth: 10  # or 0 for full history

Security Review

No security vulnerabilities identified

  • Secrets are properly referenced via GitHub Actions secrets
  • No hardcoded credentials
  • Appropriate permission scoping
  • Read-only access to most resources

⚠️ Minor Security Consideration
The claude.yml workflow has unrestricted tool access (commented claude_args). While this provides flexibility, it increases the attack surface if the OAuth token is compromised. Recommend adding explicit tool restrictions.

Performance Considerations

Efficient Configuration

  • Shallow clones for fast checkouts
  • Proper event filtering
  • Conditional execution based on mentions

Test Coverage

ℹ️ No tests needed - These are workflow configurations, not code requiring unit tests. However, consider:

  • Testing the workflows manually with a test PR
  • Documenting expected behavior in CLAUDE.md
  • Creating a workflow_dispatch trigger for manual testing

Code Quality

Well-formatted YAML

  • Proper indentation
  • Clear naming conventions
  • Good use of comments

Action Items Summary

High Priority:

  1. Create CLAUDE.md with style guidelines
  2. Add setup documentation for the OAuth token
  3. Add tool restrictions to claude.yml

Medium Priority:
4. Add path filters to reduce review workflow runs
5. Implement self-trigger prevention
6. Add error handling/notifications

Low Priority:
7. Consider increasing fetch-depth for reviews
8. Add workflow_dispatch for manual testing

Great work on implementing this integration! The foundation is solid, and these recommendations will help make it even more robust and maintainable. 🚀

@wshobson wshobson deleted the add-claude-github-actions-1767129589509 branch February 7, 2026 01:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wshobson