Add claude GitHub actions 1771783896310

[sbryngelson]

User description

Description

Summarize your changes and the motivation behind them.

Fixes #(issue)

Type of change

• Bug fix
• New feature
• Refactor
• Documentation
• Other: describe

Testing

How did you test your changes?

Checklist

• I added or updated tests for new behavior
• I updated documentation if user-facing behavior changed

See the developer guide for full coding standards.

GPU changes (expand if you modified src/simulation/)

• GPU results match CPU results
• Tested on NVIDIA GPU or AMD GPU

---

CodeAnt-AI Description

Add automated Claude bot workflows to run code reviews and respond to @claude mentions

What Changed

• New workflow triggers automated code review on pull requests when PRs are opened, updated, reopened, or marked ready for review
• New workflow runs Claude whenever someone mentions @claude in issue comments, PR review comments, issue body/title, or PR review bodies; Claude can read CI results to include in responses
• Both workflows are configured to check out the repo and use a stored CLAUDE_CODE_OAUTH_TOKEN so the bot can post review or comment output back to the repository

Impact

✅ Faster review feedback on new or updated pull requests
✅ Automated responses when contributors tag @claude in issues and PR discussions
✅ Fewer manual review tasks for routine code review and triage

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

Summary by CodeRabbit

• Chores
  • Added GitHub Actions workflows to enable automated code review integration, triggered on pull request activity and specific interactions.

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

Two GitHub Actions workflows are added to integrate Claude Code Review into the repository. The first workflow automatically reviews pull requests upon creation, while the second workflow allows Claude to be invoked through mentions in issues and review comments.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflows for Claude Integration .github/workflows/claude-code-review.yml, .github/workflows/claude.yml	Adds two new GitHub Actions workflows: one that automatically triggers Claude Code Review on pull requests with explicit permissions configuration, and another that enables Claude Code invocation via "@claude" mentions in issues, PR comments, and reviews. Both workflows use the anthropics/claude-code-action action with OAuth token authentication.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A rabbit hops through GitHub's halls,
Claude now answers automation's calls!
Pull requests reviewed with thoughtful care,
And "@claude" mentions floating through the air—
Workflows woven, magic in the flows! ✨

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[Copilot]

Pull request overview

Adds GitHub Actions workflows to invoke Anthropic “Claude Code” for ad-hoc assistance via mentions and to run an automated code review plugin on pull requests.

Changes:

• Introduces a mention-triggered workflow (@claude) for issues and PR comments/reviews.
• Adds an automated PR-triggered Claude code review workflow using the code-review plugin.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
.github/workflows/claude.yml	Adds a comment/issue-triggered Claude Code workflow with an @claude gate and repository secret usage.
.github/workflows/claude-code-review.yml	Adds a PR-triggered Claude Code Review workflow using Claude plugins and an OAuth secret.

[Copilot]

The job can be triggered by any user who opens an issue or comments “@claude” (issue_comment / issues events). Since the workflow uses repository secrets (CLAUDE_CODE_OAUTH_TOKEN) and grants id-token: write, this creates a high-risk secret/OIDC exfiltration path on public/untrusted repos. Restrict execution to trusted actors (e.g., github.event.comment.author_association in OWNER/MEMBER/COLLABORATOR, or a hardcoded allowlist), and consider removing the issues trigger or requiring workflow_dispatch for non-members.

Suggested change

	(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
	(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
	(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
	(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
	(github.event_name == 'issue_comment' &&
	contains(github.event.comment.body, '@claude') &&
	(github.event.comment.author_association == 'OWNER' ||
	github.event.comment.author_association == 'MEMBER' ||
	github.event.comment.author_association == 'COLLABORATOR')) ||
	(github.event_name == 'pull_request_review_comment' &&
	contains(github.event.comment.body, '@claude') &&
	(github.event.comment.author_association == 'OWNER' ||
	github.event.comment.author_association == 'MEMBER' ||
	github.event.comment.author_association == 'COLLABORATOR')) ||
	(github.event_name == 'pull_request_review' &&
	contains(github.event.review.body, '@claude') &&
	(github.event.review.author_association == 'OWNER' ||
	github.event.review.author_association == 'MEMBER' ||
	github.event.review.author_association == 'COLLABORATOR')) ||
	(github.event_name == 'issues' &&
	(contains(github.event.issue.body, '@claude') ||
	contains(github.event.issue.title, '@claude')) &&
	(github.event.issue.author_association == 'OWNER' ||
	github.event.issue.author_association == 'MEMBER' ||
	github.event.issue.author_association == 'COLLABORATOR'))

[Copilot]

This workflow grants id-token: write even though it already authenticates via CLAUDE_CODE_OAUTH_TOKEN. If OIDC is not strictly required by the action, drop id-token: write to follow least-privilege—especially important for workflows triggered by comments/issues.

Suggested change

id-token: write

[Copilot]

This runs on pull_request events but relies on secrets.CLAUDE_CODE_OAUTH_TOKEN. For PRs from forks, GitHub does not provide repository secrets to pull_request workflows, so the job will fail (or be skipped unpredictably) for external contributions. Add an explicit guard like if: github.event.pull_request.head.repo.full_name == github.repository (or similar), or switch to a safe pull_request_target pattern with strict checkout/permission hardening if you need to support forks.

[Copilot]

This workflow requests id-token: write permission. If the action doesn’t explicitly require OIDC, removing this permission reduces blast radius in case the action or plugins are compromised.

Suggested change

id-token: write

[cubic-dev-ai]

3 issues found across 2 files

Confidence score: 4/5

• Security hardening gaps in workflow triggers and action pinning are the main concerns; they pose supply-chain/abuse risk rather than immediate functional breakage
• Restricting who can trigger the Claude workflow would reduce token exposure from untrusted actors in .github/workflows/claude.yml
• Pay close attention to .github/workflows/claude.yml, .github/workflows/claude-code-review.yml - tighten trigger permissions and pin actions to SHAs.

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/claude-code-review.yml">

<violation number="1" location=".github/workflows/claude-code-review.yml:30">
P2: Pin GitHub Actions to specific commit SHAs to avoid supply-chain risks from mutable tags.</violation>

<violation number="2" location=".github/workflows/claude-code-review.yml:36">
P2: Pin this action to a specific commit SHA instead of a floating tag.</violation>
</file>

<file name=".github/workflows/claude.yml">

<violation number="1" location=".github/workflows/claude.yml:15">
P2: Restrict the trigger to trusted users (OWNER/MEMBER/COLLABORATOR) to prevent untrusted actors from invoking the action and consuming the Claude token.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: Pin this action to a specific commit SHA instead of a floating tag.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/claude-code-review.yml, line 36:

<comment>Pin this action to a specific commit SHA instead of a floating tag.</comment>

<file context>
@@ -0,0 +1,44 @@
+
+      - name: Run Claude Code Review
+        id: claude-review
+        uses: anthropics/claude-code-action@v1
+        with:
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
</file context>

[cubic-dev-ai]

P2: Pin GitHub Actions to specific commit SHAs to avoid supply-chain risks from mutable tags.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/claude-code-review.yml, line 30:

<comment>Pin GitHub Actions to specific commit SHAs to avoid supply-chain risks from mutable tags.</comment>

<file context>
@@ -0,0 +1,44 @@
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
</file context>

[cubic-dev-ai]

P2: Restrict the trigger to trusted users (OWNER/MEMBER/COLLABORATOR) to prevent untrusted actors from invoking the action and consuming the Claude token.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/claude.yml, line 15:

<comment>Restrict the trigger to trusted users (OWNER/MEMBER/COLLABORATOR) to prevent untrusted actors from invoking the action and consuming the Claude token.</comment>

<file context>
@@ -0,0 +1,50 @@
+
+jobs:
+  claude:
+    if: |
+      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
</file context>