Add Claude Code GitHub Workflow#118
Conversation
📝 WalkthroughWalkthroughAdds a new GitHub Actions workflow Changes
Sequence Diagram(s)sequenceDiagram
autonumber
participant User as User (comment/review/issue)
participant GitHub as GitHub Events
participant Runner as Actions Runner
participant Claude as Claude Code Action
User->>GitHub: create comment / submit review / open issue
GitHub->>Runner: trigger workflow with event payload
Runner->>Runner: evaluate condition (contains "@claude" && author association)
alt condition true
Runner->>Claude: checkout repo, provide secrets & permissions, run action
Claude->>Runner: process request and return output
Runner->>GitHub: post comment/status
else condition false
Runner->>GitHub: workflow skipped / no-op
end
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/claude.yml:
- Line 26: Fix the YAML lint issues around the "actions: read # Required for
Claude to read CI results on PRs" entry by adding proper spacing after the
inline comment (ensure one space after the #) and remove any trailing empty line
at the end of the file; verify the inline comment follows YAMLLint rules and
that the file ends with a single newline (no extra blank line).
- Line 35: Replace the mutable ref "anthropics/claude-code-action@v1" in the
workflow step with an immutable pinned full commit SHA (e.g.,
"anthropics/claude-code-action@<full-commit-sha>") so the action cannot change
unexpectedly; locate the uses: anthropics/claude-code-action@v1 entry in the
workflow and update it to the specific commit SHA for the version you want to
lock to, then commit the updated workflow.
- Around line 15-19: The workflow currently triggers on any mention of '@claude'
without checking who made the mention; restrict triggers by adding actor checks
to the existing condition so only trusted actors can invoke the job. Update the
conditional branches that use github.event.comment.body,
github.event.review.body and github.event.issue.body/title to also verify the
caller (use github.actor and the commenter/reviewer/issue author fields such as
github.event.comment.user.login, github.event.review.user.login,
github.event.issue.user.login) against a trusted allowlist (for example a JSON
list stored in a secret like secrets.TRUSTED_ACTORS) or explicit checks for
owners/bots; ensure each OR clause becomes a conjunction that requires both the
mention and that the actor is in the trusted list (or equals repo owner/bot) so
untrusted users cannot trigger the workflow.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: a51c86d9-6515-4908-94da-9e358166cc43
📒 Files selected for processing (1)
.github/workflows/claude.yml
- Pin anthropics/claude-code-action to immutable commit SHA (094bd24) - Restrict triggers to repo owner, members, and collaborators via author_association checks on each event type - Remove trailing blank line, clean up inline comments - Remove unused optional comments for cleaner config Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (1)
.github/workflows/claude.yml (1)
33-33:⚠️ Potential issue | 🟠 MajorPin
actions/checkoutto an immutable commit SHA.Line 33 uses
actions/checkout@v4, which is a mutable version reference. Pinning to a full 40-character commit SHA improves supply-chain integrity and reproducibility.🔐 Suggested change
- - name: Checkout repository - uses: actions/checkout@v4 + - name: Checkout repository + uses: actions/checkout@<full-40-char-commit-sha> # v4🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/claude.yml at line 33, The workflow is using the mutable ref "uses: actions/checkout@v4"; replace that tag with the repository's immutable 40-character commit SHA for actions/checkout so the workflow is pinned (e.g., change "actions/checkout@v4" to "actions/checkout@<full-commit-sha>"). Locate the uses: actions/checkout@v4 entry in the workflow and update it to the full commit SHA, commit the change, and verify the workflow runs successfully.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/claude.yml:
- Line 24: The claude job currently lacks a timeout and can run indefinitely;
under the job named "claude" (the block containing the runs-on: ubuntu-latest
line) add a timeout-minutes key at the same indentation level as runs-on (for
example timeout-minutes: 30 or another org-appropriate cap) to ensure the job is
automatically cancelled after the specified time and prevent runaway CI costs.
---
Duplicate comments:
In @.github/workflows/claude.yml:
- Line 33: The workflow is using the mutable ref "uses: actions/checkout@v4";
replace that tag with the repository's immutable 40-character commit SHA for
actions/checkout so the workflow is pinned (e.g., change "actions/checkout@v4"
to "actions/checkout@<full-commit-sha>"). Locate the uses: actions/checkout@v4
entry in the workflow and update it to the full commit SHA, commit the change,
and verify the workflow runs successfully.
🪄 Autofix (Beta)
❌ Autofix failed (check again to retry)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 327813ba-7eb0-41f8-9ea8-f6dfe3bb52e9
📒 Files selected for processing (1)
.github/workflows/claude.yml
|
Note Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it. An unexpected error occurred while generating fixes: Resource not accessible by integration - https://docs.github.com/rest/git/trees#create-a-tree |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/claude.yml:
- Around line 33-36: Replace the uses entry currently referencing the symbolic
tag actions/checkout@v4 with a SHA-pinned ref for that exact release (e.g.,
actions/checkout@<full-commit-sha>) to harden the workflow; locate the checkout
step (the uses: "actions/checkout@v4" line) and update it to the corresponding
SHA from the actions/checkout v4 release on GitHub (keeping the same with:
fetch-depth: 1 settings), then verify the workflow runs successfully.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: acd30110-69d1-46e7-9496-a312a0293784
📒 Files selected for processing (1)
.github/workflows/claude.yml
🤖 Installing Claude Code GitHub App
This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.
What is Claude Code?
Claude Code is an AI coding agent that can help with:
How it works
Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.
Important Notes
Security
There's more information in the Claude Code action repo.
After merging this PR, let's try mentioning @claude in a comment on any PR to get started!
Summary by CodeRabbit