Skip to content

Add Claude Code GitHub Workflow#48

Merged
jeastham1993 merged 2 commits into
mainfrom
add-claude-github-actions-1752135870703
Jul 10, 2025
Merged

Add Claude Code GitHub Workflow#48
jeastham1993 merged 2 commits into
mainfrom
add-claude-github-actions-1752135870703

Conversation

@jeastham1993

Copy link
Copy Markdown
Collaborator

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

  • Bug fixes and improvements
  • Documentation updates
  • Implementing new features
  • Code reviews and suggestions
  • Writing tests
  • And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

  • This workflow won't take effect until this PR is merged
  • @claude mentions won't work until after the merge is complete
  • The workflow runs automatically whenever Claude is mentioned in PR or issue comments
  • Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

  • Our Anthropic API key is securely stored as a GitHub Actions secret
  • Only users with write access to the repository can trigger the workflow
  • All Claude runs are stored in the GitHub Actions run history
  • Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
  • We can add more allowed tools by adding them to the workflow file like:
allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

@datadog-datadog-prod-us1

datadog-datadog-prod-us1 Bot commented Jul 10, 2025

Copy link
Copy Markdown

✅ Code Quality    ⚠️ Code Vulnerabilities    ✅ Libraries

⚠️ Warnings

🛡️ 6 Code vulnerabilities detected

High: github-actions/unpinned-actions Workflow depends on unpinned GitHub Actions View rule
.github/workflows/claude-code-review.yml:36
High: github-actions/permissions Unspecified workflows level permissions View rule
.github/workflows/claude.yml:1
High: github-actions/unpinned-actions Workflow depends on unpinned GitHub Actions View rule
.github/workflows/claude.yml:35
View all

ℹ️ Info

🛠️ No new code quality issues
📚 No new vulnerable libraries detected

This comment will be updated automatically if new data arrives.

🔗 Commit SHA: 25df629 | Was this helpful? Give us feedback!

@jeastham1993 jeastham1993 merged commit 7444d1e into main Jul 10, 2025
5 of 6 checks passed
@jeastham1993 jeastham1993 deleted the add-claude-github-actions-1752135870703 branch July 10, 2025 08:24

- name: Run Claude Code Review
id: claude-review
uses: anthropics/claude-code-action@beta

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 High: Code Vulnerability

Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)

Pin GitHub Actions by commit hash to ensure supply chain security.

Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

View in Datadog  Leave us feedback  Documentation

@@ -0,0 +1,64 @@
name: Claude Code

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 High: Code Vulnerability

No explicit permissions set for at the workflow level (...read more)

Default permissions for the GITHUB_TOKEN are expected to be restricted (contents:read, metadata:read, and packages:read).

Your repository may require a different setup, so consider defining permissions for each job following the least privilege principle to restrict the impact of a possible compromise.

You can find the list of all possible permissions in Workflow syntax for GitHub Actions - GitHub Docs. They can be defined at the job or the workflow level.

View in Datadog  Leave us feedback  Documentation


- name: Run Claude Code
id: claude
uses: anthropics/claude-code-action@beta

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 High: Code Vulnerability

Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)

Pin GitHub Actions by commit hash to ensure supply chain security.

Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

View in Datadog  Leave us feedback  Documentation

types: [created]
pull_request_review_comment:
types: [created]
issues:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 High: Code Vulnerability

Dangerous GitHub actions trigger (...read more)

Workflows triggered by the pull_request_target trigger can read secrets and edit code in the repository that the PR is targeting. This is a dangerous trigger that must be used with caution. For security reasons, GitHub runs these workflows using the code from the base branch, rather than the code from the PR.

If you use this trigger you must not checkout the code of the PR, otherwise anyone can simply write malicious code and get it to run in a context that has access to your secrets, in addition to write access to the repository.

This type of attack is sometimes referred to as “pwn request”.

Note that if you use the "workflow_call" trigger, your workflow is callable by other workflows, so possibly by a workflow using the pull_request_target trigger.

Learn More

View in Datadog  Leave us feedback  Documentation

name: Claude Code

on:
issue_comment:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 High: Code Vulnerability

Dangerous GitHub actions trigger (...read more)

Workflows triggered by the pull_request_target trigger can read secrets and edit code in the repository that the PR is targeting. This is a dangerous trigger that must be used with caution. For security reasons, GitHub runs these workflows using the code from the base branch, rather than the code from the PR.

If you use this trigger you must not checkout the code of the PR, otherwise anyone can simply write malicious code and get it to run in a context that has access to your secrets, in addition to write access to the repository.

This type of attack is sometimes referred to as “pwn request”.

Note that if you use the "workflow_call" trigger, your workflow is callable by other workflows, so possibly by a workflow using the pull_request_target trigger.

Learn More

View in Datadog  Leave us feedback  Documentation

@@ -0,0 +1,78 @@
name: Claude Code Review

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 High: Code Vulnerability

No explicit permissions set for at the workflow level (...read more)

Default permissions for the GITHUB_TOKEN are expected to be restricted (contents:read, metadata:read, and packages:read).

Your repository may require a different setup, so consider defining permissions for each job following the least privilege principle to restrict the impact of a possible compromise.

You can find the list of all possible permissions in Workflow syntax for GitHub Actions - GitHub Docs. They can be defined at the job or the workflow level.

View in Datadog  Leave us feedback  Documentation

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant