Skip to content

Add Claude Code GitHub Workflow #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
simonas-notcat merged 2 commits into from
Dec 10, 2025
Merged

Add Claude Code GitHub Workflow #4

simonas-notcat merged 2 commits into from
Dec 10, 2025

Conversation

@simonas-notcat
Copy link
Member

@simonas-notcat simonas-notcat commented Dec 10, 2025

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

  • Bug fixes and improvements
  • Documentation updates
  • Implementing new features
  • Code reviews and suggestions
  • Writing tests
  • And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

  • This workflow won't take effect until this PR is merged
  • @claude mentions won't work until after the merge is complete
  • The workflow runs automatically whenever Claude is mentioned in PR or issue comments
  • Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

  • Our Anthropic API key is securely stored as a GitHub Actions secret
  • Only users with write access to the repository can trigger the workflow
  • All Claude runs are stored in the GitHub Actions run history
  • Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
  • We can add more allowed tools by adding them to the workflow file like:
allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

@simonas-notcat simonas-notcat merged commit 8b0fab0 into main Dec 10, 2025
@claude
Copy link

claude bot commented Dec 10, 2025

PR Review: Claude Code GitHub Workflow Integration

Thank you for adding Claude Code integration! I've reviewed the two workflow files and have feedback organized by category:

Strengths

  1. Good Security Posture: Both workflows properly use CLAUDE_CODE_OAUTH_TOKEN as a secret and have appropriate permission scopes
  2. Clear Documentation: The PR description provides excellent context about what Claude Code is and how it works
  3. Conditional Execution: Smart use of if conditions to only run when @claude is mentioned
  4. Comprehensive Triggers: Good coverage of different event types (issue comments, PR reviews, etc.)

🔍 Code Quality & Best Practices

.github/workflows/claude.yml (Main workflow)

Good:

  • Clean conditional logic for detecting @claude mentions across different event types
  • Proper use of fetch-depth: 1 for shallow clones (appropriate for this use case)
  • Helpful comments about optional settings

Suggestions:

  1. Line 40-41: The additional_permissions field seems redundant since you already declare actions: read in the top-level permissions block (line 26). Consider removing this:
# Remove these lines (redundant with permissions block)
additional_permissions: |
  actions: read
  1. Commented Code: The commented-out prompt and claude_args examples are helpful, but consider adding brief explanations about when to use them.

.github/workflows/claude-code-review.yml (Auto-review workflow)

Concerns:

  1. 🚨 High-Impact Issue - Unfiltered Automatic Reviews: This workflow runs automatically on every PR open/sync event without any filters. This could create significant noise and costs:

    • Claude will review every PR, including dependency updates, automated PRs, and trivial changes
    • Could overwhelm developers with automated reviews
    • May incur unnecessary API costs

    Recommendation: Add one or more filters:

    # Option 1: Only review PRs from specific users
if: |
  github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR' ||
  github.event.pull_request.user.login == 'external-contributor'

# Option 2: Require a label
if: contains(github.event.pull_request.labels.*.name, 'needs-review')

# Option 3: Only review specific file paths
paths:
  - "src/**/*.ts"
  - "src/**/*.tsx"

  2. Missing Write Permissions: The workflow needs additional permissions to post comments. Current permissions include pull-requests: read, but posting comments requires pull-requests: write:

    permissions:
  contents: read
  pull-requests: write  # Changed from 'read'
  issues: read
  id-token: write

  3. Hardcoded Repository Name: Line 39 uses ${{ github.repository }} which is fine, but the prompt could be more flexible. The current prompt instructs Claude to use gh pr comment, which is good.

  4. Shallow Fetch Limitation: Using fetch-depth: 1 means Claude won't have access to the full PR context or git history. For code reviews, consider fetch-depth: 0 or at least fetching the base branch:

    - name: Checkout repository
  uses: actions/checkout@v4
  with:
    fetch-depth: 0  # Full history for better context
    # Or fetch PR head + base:
    ref: ${{ github.event.pull_request.head.sha }}

  5. Commented Code Clutter: Lines 6-11 and 14-18 contain extensive commented-out code. Since this is a new file, consider:

    • Moving these to documentation
    • Or keeping only 1-2 examples as inline comments
    • The current amount makes the file harder to scan

🐛 Potential Bugs

  1. Permission Mismatch (.github/workflows/claude-code-review.yml): As mentioned above, pull-requests: read is insufficient for posting PR comments. This will cause the workflow to fail when Claude tries to use gh pr comment.

  2. Race Conditions: If a PR is synchronized multiple times quickly, multiple Claude reviews could run simultaneously and potentially post conflicting comments. Consider using a concurrency group:

    concurrency:
  group: claude-review-${{ github.event.pull_request.number }}
  cancel-in-progress: true

Performance Considerations

  1. Redundant Checkout (.github/workflows/claude.yml): For issue comments (non-PR contexts), checking out the repository may be unnecessary if Claude is only responding to questions. Consider making the checkout conditional:

    - name: Checkout repository
  if: github.event_name != 'issue_comment' || github.event.issue.pull_request
  uses: actions/checkout@v4

  2. API Rate Limits: Running automatic reviews on every PR could hit GitHub API rate limits on active repositories. Monitor usage after deployment.

🔒 Security Concerns

  1. Token Security: ✅ Good - Using secrets for CLAUDE_CODE_OAUTH_TOKEN

  2. Limited Tool Access: ✅ Good - The allowed tools in claude-code-review.yml are appropriately restricted to read-only gh commands

  3. No Write Access Control (.github/workflows/claude.yml): The workflow doesn't restrict who can trigger it. Since the if condition only checks for @claude mentions, anyone who can comment on issues/PRs can trigger it. Consider adding:

    if: |
  (github.actor != 'dependabot[bot]' && 
   (github.event.comment.author_association == 'MEMBER' || 
    github.event.comment.author_association == 'OWNER' ||
    github.event.comment.author_association == 'COLLABORATOR')) &&
  (contains(github.event.comment.body, '@claude'))

  4. Commented Allowed Tools: Line 48 in claude.yml has a commented example that shows Bash(gh pr:*). If uncommented without full understanding, this could grant broader permissions than intended.

🧪 Test Coverage

Missing Tests: These workflow files cannot be directly unit tested, but consider:

  1. Documentation Tests: Add a section to the README or docs explaining:

    • How to test the Claude integration manually
    • Expected behavior for different scenarios
    • Troubleshooting common issues

  2. Validation: Before merging, ensure CLAUDE_CODE_OAUTH_TOKEN is actually set in repository secrets

  3. Dry Run: After merging, test with a non-critical PR to verify both workflows function correctly

📝 Recommendations Summary

Must Fix Before Merge:

  1. ✅ Change pull-requests: read to pull-requests: write in claude-code-review.yml
  2. ⚠️ Add filtering to claude-code-review.yml to prevent running on every PR (use labels, paths, or author filters)

Strongly Recommended:
3. Add concurrency control to prevent duplicate reviews
4. Add access control to claude.yml to restrict who can trigger Claude
5. Increase fetch depth in code review workflow for better context

Nice to Have:
6. Clean up commented code or move to documentation
7. Remove redundant additional_permissions in claude.yml
8. Make checkout conditional in claude.yml for issue-only contexts

📚 Additional Context

Per the repository's CLAUDE.md conventions, the workflows look well-structured and follow GitHub Actions best practices. The main concerns are around operational costs/noise from automatic reviews and the missing write permission for PR comments.

Let me know if you'd like help implementing any of these suggestions!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@simonas-notcat