Skip to content

Add Claude Code GitHub Workflow#8

Merged
fqzz2000 merged 2 commits into
gitbookfrom
add-claude-github-actions-1774556631928
Mar 26, 2026
Merged

Add Claude Code GitHub Workflow#8
fqzz2000 merged 2 commits into
gitbookfrom
add-claude-github-actions-1774556631928

Conversation

@lipingtababa

Copy link
Copy Markdown
Owner

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

  • Bug fixes and improvements
  • Documentation updates
  • Implementing new features
  • Code reviews and suggestions
  • Writing tests
  • And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

  • This workflow won't take effect until this PR is merged
  • @claude mentions won't work until after the merge is complete
  • The workflow runs automatically whenever Claude is mentioned in PR or issue comments
  • Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

  • Our Anthropic API key is securely stored as a GitHub Actions secret
  • Only users with write access to the repository can trigger the workflow
  • All Claude runs are stored in the GitHub Actions run history
  • Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
  • We can add more allowed tools by adding them to the workflow file like:
allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

@fqzz2000 fqzz2000 merged commit 76ee79c into gitbook Mar 26, 2026
3 checks passed

@lipingtababa lipingtababa left a comment

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Retroactive Review — PR #8 (already merged)

This is an informational review of the merged Claude Code GitHub Actions integration.

Overview

Two workflow files added:

  • claude.yml — interactive @claude mentions in issues/PRs
  • claude-code-review.yml — automated code review on PR events

Both use anthropics/claude-code-action@v1 with an OAuth token stored as a GitHub secret. Straightforward setup overall.

Observations

1. Permissions are read-only (good)
Both workflows request only read on contents, pull-requests, and issues, plus id-token: write for auth. No unnecessary write permissions. This is the right baseline.

2. claude.yml lacks write permissions for its intended purpose
The interactive workflow (claude.yml) is designed to let Claude create comments, branches, and commits (as stated in the PR description). However, its permissions only grant read access to contents and pull-requests. Claude will not be able to push commits or write PR comments with these permissions. This likely needs contents: write and pull-requests: write to function as described. Worth verifying whether claude-code-action escalates permissions via the OAuth token or whether the workflow permissions are the binding constraint.

3. claude-code-review.yml also has read-only PR permissions
Similarly, the review workflow has pull-requests: read, but posting a review comment requires pull-requests: write. Again, the OAuth token may handle this, but it is worth confirming the review bot can actually post its output.

4. Pinning the action version
Both workflows use anthropics/claude-code-action@v1 (a major-version tag). This is a reasonable tradeoff between staying current and stability. For higher-security postures, pinning to a full SHA is preferable, but for this repository's threat model the tag is fine.

5. fetch-depth: 1 in the review workflow
The automated review checks out with fetch-depth: 1. If Claude needs to understand the diff against the base branch (which it likely does for code review), a shallow clone may be insufficient. Consider fetch-depth: 0 or at minimum enough depth to cover the PR's commit range.

6. The plugin_marketplaces / plugins configuration in the review workflow
The review workflow references a plugin (code-review@claude-code-plugins) loaded from a marketplace URL pointing at the claude-code repo itself. This is a newer pattern. No concerns, just noting it for visibility since it introduces an external dependency for the review behavior.

Summary

Clean, minimal integration. The main functional question is whether the read-only workflow permissions are sufficient for Claude to actually post comments and commits, or whether the OAuth token bypasses those constraints. If the workflows are working as-is post-merge, then the token handles it and no change is needed.

@fqzz2000 fqzz2000 deleted the add-claude-github-actions-1774556631928 branch April 8, 2026 17:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants