Skip to content

Add Claude Code GitHub Workflow#118

Merged
michaelmcnees merged 3 commits into
mainfrom
add-claude-github-actions-1774582984725
Mar 27, 2026
Merged

Add Claude Code GitHub Workflow#118
michaelmcnees merged 3 commits into
mainfrom
add-claude-github-actions-1774582984725

Conversation

@michaelmcnees

@michaelmcnees michaelmcnees commented Mar 27, 2026

Copy link
Copy Markdown
Collaborator

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

  • Bug fixes and improvements
  • Documentation updates
  • Implementing new features
  • Code reviews and suggestions
  • Writing tests
  • And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

  • This workflow won't take effect until this PR is merged
  • @claude mentions won't work until after the merge is complete
  • The workflow runs automatically whenever Claude is mentioned in PR or issue comments
  • Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

  • Our Anthropic API key is securely stored as a GitHub Actions secret
  • Only users with write access to the repository can trigger the workflow
  • All Claude runs are stored in the GitHub Actions run history
  • Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
  • We can add more allowed tools by adding them to the workflow file like:
allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

Summary by CodeRabbit

  • New Features
    • Claude Code assistant integration via GitHub Actions — trigger by mentioning @claude in issue comments, PR review comments, issue/PR text, or review submissions.
    • Activation restricted to repository owners, members, or collaborators to prevent unintended use.
    • Requires a repository-admin provided OAuth token and grants repository read-level permissions when run.

@coderabbitai

coderabbitai Bot commented Mar 27, 2026

Copy link
Copy Markdown
Contributor
📝 Walkthrough

Walkthrough

Adds a new GitHub Actions workflow .github/workflows/claude.yml that triggers on issue comments, PR review comments, issues opened/assigned, and PR review submissions; conditionally runs when event text contains @claude and the actor is owner/member/collaborator; invokes the Claude Code Action with an OAuth token.

Changes

Cohort / File(s) Summary
GitHub Actions Workflow
​.github/workflows/claude.yml
New workflow Claude Code added. Triggers on issue_comment, pull_request_review_comment, issues (opened/assigned), and pull_request_review (submitted). Job claude runs only if event text contains @claude and actor matches repo owner or has OWNER/MEMBER/COLLABORATOR association. Runs on ubuntu-latest, checks out repo, and invokes anthropics/claude-code-action@094bd24d575e7b30ac1576024817bf1a97c81262 using secrets.CLAUDE_CODE_OAUTH_TOKEN with read permissions and id-token: write.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant User as User (comment/review/issue)
  participant GitHub as GitHub Events
  participant Runner as Actions Runner
  participant Claude as Claude Code Action

  User->>GitHub: create comment / submit review / open issue
  GitHub->>Runner: trigger workflow with event payload
  Runner->>Runner: evaluate condition (contains "@claude" && author association)
  alt condition true
    Runner->>Claude: checkout repo, provide secrets & permissions, run action
    Claude->>Runner: process request and return output
    Runner->>GitHub: post comment/status
  else condition false
    Runner->>GitHub: workflow skipped / no-op
  end
Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I sniff the tag, I hop to see,
A whisper "@claude" calls to me,
I fetch the repo, secrets in paw,
I scurry, I build, then share what I saw,
Hooray — automation, neat and free! 🎉

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'Add Claude Code GitHub Workflow' accurately and concisely describes the main change—adding a new GitHub Actions workflow file for Claude Code integration.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch add-claude-github-actions-1774582984725

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/claude.yml:
- Line 26: Fix the YAML lint issues around the "actions: read # Required for
Claude to read CI results on PRs" entry by adding proper spacing after the
inline comment (ensure one space after the #) and remove any trailing empty line
at the end of the file; verify the inline comment follows YAMLLint rules and
that the file ends with a single newline (no extra blank line).
- Line 35: Replace the mutable ref "anthropics/claude-code-action@v1" in the
workflow step with an immutable pinned full commit SHA (e.g.,
"anthropics/claude-code-action@<full-commit-sha>") so the action cannot change
unexpectedly; locate the uses: anthropics/claude-code-action@v1 entry in the
workflow and update it to the specific commit SHA for the version you want to
lock to, then commit the updated workflow.
- Around line 15-19: The workflow currently triggers on any mention of '@claude'
without checking who made the mention; restrict triggers by adding actor checks
to the existing condition so only trusted actors can invoke the job. Update the
conditional branches that use github.event.comment.body,
github.event.review.body and github.event.issue.body/title to also verify the
caller (use github.actor and the commenter/reviewer/issue author fields such as
github.event.comment.user.login, github.event.review.user.login,
github.event.issue.user.login) against a trusted allowlist (for example a JSON
list stored in a secret like secrets.TRUSTED_ACTORS) or explicit checks for
owners/bots; ensure each OR clause becomes a conjunction that requires both the
mention and that the actor is in the trusted list (or equals repo owner/bot) so
untrusted users cannot trigger the workflow.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a51c86d9-6515-4908-94da-9e358166cc43

📥 Commits

Reviewing files that changed from the base of the PR and between 965916c and b39921a.

📒 Files selected for processing (1)
  • .github/workflows/claude.yml

Comment thread .github/workflows/claude.yml Outdated
Comment thread .github/workflows/claude.yml Outdated
Comment thread .github/workflows/claude.yml Outdated
- Pin anthropics/claude-code-action to immutable commit SHA (094bd24)
- Restrict triggers to repo owner, members, and collaborators via
  author_association checks on each event type
- Remove trailing blank line, clean up inline comments
- Remove unused optional comments for cleaner config

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

♻️ Duplicate comments (1)
.github/workflows/claude.yml (1)

33-33: ⚠️ Potential issue | 🟠 Major

Pin actions/checkout to an immutable commit SHA.

Line 33 uses actions/checkout@v4, which is a mutable version reference. Pinning to a full 40-character commit SHA improves supply-chain integrity and reproducibility.

🔐 Suggested change
-      - name: Checkout repository
-        uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@<full-40-char-commit-sha> # v4
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude.yml at line 33, The workflow is using the mutable
ref "uses: actions/checkout@v4"; replace that tag with the repository's
immutable 40-character commit SHA for actions/checkout so the workflow is pinned
(e.g., change "actions/checkout@v4" to "actions/checkout@<full-commit-sha>").
Locate the uses: actions/checkout@v4 entry in the workflow and update it to the
full commit SHA, commit the change, and verify the workflow runs successfully.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/claude.yml:
- Line 24: The claude job currently lacks a timeout and can run indefinitely;
under the job named "claude" (the block containing the runs-on: ubuntu-latest
line) add a timeout-minutes key at the same indentation level as runs-on (for
example timeout-minutes: 30 or another org-appropriate cap) to ensure the job is
automatically cancelled after the specified time and prevent runaway CI costs.

---

Duplicate comments:
In @.github/workflows/claude.yml:
- Line 33: The workflow is using the mutable ref "uses: actions/checkout@v4";
replace that tag with the repository's immutable 40-character commit SHA for
actions/checkout so the workflow is pinned (e.g., change "actions/checkout@v4"
to "actions/checkout@<full-commit-sha>"). Locate the uses: actions/checkout@v4
entry in the workflow and update it to the full commit SHA, commit the change,
and verify the workflow runs successfully.
🪄 Autofix (Beta)

❌ Autofix failed (check again to retry)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 327813ba-7eb0-41f8-9ea8-f6dfe3bb52e9

📥 Commits

Reviewing files that changed from the base of the PR and between b39921a and b0417dd.

📒 Files selected for processing (1)
  • .github/workflows/claude.yml

Comment thread .github/workflows/claude.yml
@coderabbitai

coderabbitai Bot commented Mar 27, 2026

Copy link
Copy Markdown
Contributor

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

An unexpected error occurred while generating fixes: Resource not accessible by integration - https://docs.github.com/rest/git/trees#create-a-tree

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/claude.yml:
- Around line 33-36: Replace the uses entry currently referencing the symbolic
tag actions/checkout@v4 with a SHA-pinned ref for that exact release (e.g.,
actions/checkout@<full-commit-sha>) to harden the workflow; locate the checkout
step (the uses: "actions/checkout@v4" line) and update it to the corresponding
SHA from the actions/checkout v4 release on GitHub (keeping the same with:
fetch-depth: 1 settings), then verify the workflow runs successfully.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: acd30110-69d1-46e7-9496-a312a0293784

📥 Commits

Reviewing files that changed from the base of the PR and between b0417dd and c5aea28.

📒 Files selected for processing (1)
  • .github/workflows/claude.yml

Comment thread .github/workflows/claude.yml
@michaelmcnees michaelmcnees merged commit 81daf35 into main Mar 27, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant