Add Claude Code GitHub Workflow

[vlados]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

Summary by CodeRabbit

• Chores
  • Added automated AI code review on pull requests, providing feedback on code quality, potential issues, performance, security, and test coverage, aligned with our style guidelines.
  • Enabled “@claude” mentions in issues, PRs, and review comments to request on-demand assistance directly within GitHub.
  • Configured workflows to run with minimal permissions and to read CI results for context-aware reviews.
  • Streamlined repository checkout for faster runs and improved comment-based command support.

[coderabbitai]

Walkthrough

Adds two GitHub Actions workflows to integrate Claude-driven automation: one auto-runs a code review on PR open/sync; the other listens for “@claude” mentions across issues and PRs to trigger the Claude Code Action. Both check out the repo and invoke anthropics/claude-code-action with configured permissions and tokens.

Changes

Cohort / File(s)	Summary
Automation: Claude workflows \.github/workflows/claude-code-review.yml, \.github/workflows/claude.yml	New workflows: (1) PR-triggered automated code review with prompt and claude_args exposing gh CLI helpers; (2) mention-triggered (“@claude”) action on issues/PRs/comments with scoped permissions and example configurable prompt/args. Both run on ubuntu-latest with repo checkout and use CLAUDE_CODE_OAUTH_TOKEN.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Dev as Developer
    participant GH as GitHub
    participant WF as Workflow: claude-code-review.yml
    participant Act as anthropics/claude-code-action

    Dev->>GH: Open/Sync Pull Request
    GH-->>WF: trigger (pull_request: opened/synchronize)
    WF->>WF: checkout@v4 (fetch-depth: 1)
    WF->>Act: Run with token, prompt, claude_args
    Act-->>GH: Post review comments / findings

Loading

sequenceDiagram
    autonumber
    participant User as User
    participant GH as GitHub
    participant WF as Workflow: claude.yml
    participant Act as anthropics/claude-code-action

    User->>GH: Create Issue/PR or Add Comment/Review with "@claude"
    GH-->>WF: trigger (issues, issue_comment, pull_request_review, pull_request_review_comment)
    WF->>WF: Conditional check (contains "@claude")
    alt contains "@claude"
        WF->>WF: checkout@v4 (fetch-depth: 1)
        WF->>Act: Run with OAuth token (optional prompt/args)
        Act-->>GH: Respond via comments / actions
    else no mention
        WF-->>GH: Exit (no-op)
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title succinctly summarizes the primary change of adding the Claude Code GitHub workflow integration and is clear, specific, and relevant to the files modified without extraneous details.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch add-claude-github-actions-1759345066754

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between daaa80d and 75bd1a8.

📒 Files selected for processing (2)

• .github/workflows/claude-code-review.yml (1 hunks)
• .github/workflows/claude.yml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/claude-code-review.yml

[warning] 57-57: too many blank lines (1 > 0)

(empty-lines)

.github/workflows/claude.yml

[warning] 50-50: too many blank lines (1 > 0)

(empty-lines)

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Workflow fails on forked PRs

pull_request runs don’t receive repository secrets or an OIDC ID token when the PR comes from a fork, so this job will crash any time an external contributor opens or updates a PR (Claude can’t read CLAUDE_CODE_OAUTH_TOKEN, and the action already errors when ACTIONS_ID_TOKEN_REQUEST_URL is missing). That blocks reviews for exactly the PRs where we need them most.(docs.github.com)

Tighten the trigger to skip forks (or switch to pull_request_target with explicit hardening) so internal PRs still get auto-reviews without breaking community contributions:

   claude-review:
-    # Optional: Filter by PR author
-    # if: |
-    #   github.event.pull_request.user.login == 'external-contributor' ||
-    #   github.event.pull_request.user.login == 'new-developer' ||
-    #   github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
+    if: ${{ github.event.pull_request.head.repo.fork == false }}

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Gate @claude runs to trusted commenters

As written, anyone who can comment or open an issue can mention @claude and trigger this job with full access to CLAUDE_CODE_OAUTH_TOKEN and the workflow’s write-capable token. GitHub runs issue_comment/pull_request_review_comment workflows in the base repo context, so secrets are exposed even when the commenter isn’t a collaborator, and the security team has repeatedly highlighted this as an escalation path.(docs.github.com)

Add an author-association gate (e.g., require MEMBER, OWNER, or COLLABORATOR) before running the Claude job so external users can’t exfiltrate repo secrets or co-opt Claude:

   claude:
-    if: |
-      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
-      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+    if: |
+      (
+        github.actor != '' &&
+        (
+          github.event.comment.author_association in ['OWNER','MEMBER','COLLABORATOR','MAINTAINER'] ||
+          github.event.issue.user.author_association in ['OWNER','MEMBER','COLLABORATOR','MAINTAINER']
+        )
+      ) &&
+      (
+        (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
+        (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
+        (github.event_name == 'pull_request_review' && github.event.review.body != null && contains(github.event.review.body, '@claude')) ||
+        (github.event_name == 'issues' && (
+          (github.event.issue.body != null && contains(github.event.issue.body, '@claude')) ||
+          (github.event.issue.title != null && contains(github.event.issue.title, '@claude'))
+        ))
+      )

(Adjust the association list to match your contributor policy.)

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

.github/workflows/claude.yml around lines 15-41: the workflow allows any
commenter to trigger the Claude job and expose secrets; add an
author-association gate to only allow trusted associations. Update the job
conditional to also require the commenter/reviewer/issue author to have an
allowed github.event.*.author_association value (e.g., MEMBER, OWNER,
COLLABORATOR) — for issue_comment and pull_request_review_comment use
github.event.comment.author_association, for pull_request_review use
github.event.review.user.author_association, and for issues use
github.event.issue.author_association — and ensure the if expression checks both
the presence of "@claude" and that the author_association is in the allowed list
before running the job.