Add claude GitHub actions 1771783896310#1239
Conversation
|
CodeAnt AI is reviewing your PR. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
Caution Review failedThe pull request is closed. 📝 WalkthroughWalkthroughTwo GitHub Actions workflows are added to integrate Claude Code Review into the repository. The first workflow automatically reviews pull requests upon creation, while the second workflow allows Claude to be invoked through mentions in issues and review comments. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
codeant-ai
Bot
added
the
size:M
|
CodeAnt AI finished reviewing your PR. |
There was a problem hiding this comment.
Pull request overview
Adds GitHub Actions workflows to invoke Anthropic “Claude Code” for ad-hoc assistance via mentions and to run an automated code review plugin on pull requests.
Changes:
- Introduces a mention-triggered workflow (
@claude) for issues and PR comments/reviews. - Adds an automated PR-triggered Claude code review workflow using the
code-reviewplugin.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| .github/workflows/claude.yml | Adds a comment/issue-triggered Claude Code workflow with an @claude gate and repository secret usage. |
| .github/workflows/claude-code-review.yml | Adds a PR-triggered Claude Code Review workflow using Claude plugins and an OAuth secret. |
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | ||
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) |
There was a problem hiding this comment.
The job can be triggered by any user who opens an issue or comments “@claude” (issue_comment / issues events). Since the workflow uses repository secrets (CLAUDE_CODE_OAUTH_TOKEN) and grants id-token: write, this creates a high-risk secret/OIDC exfiltration path on public/untrusted repos. Restrict execution to trusted actors (e.g., github.event.comment.author_association in OWNER/MEMBER/COLLABORATOR, or a hardcoded allowlist), and consider removing the issues trigger or requiring workflow_dispatch for non-members.
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | |
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) | |
| (github.event_name == 'issue_comment' && | |
| contains(github.event.comment.body, '@claude') && | |
| (github.event.comment.author_association == 'OWNER' || | |
| github.event.comment.author_association == 'MEMBER' || | |
| github.event.comment.author_association == 'COLLABORATOR')) || | |
| (github.event_name == 'pull_request_review_comment' && | |
| contains(github.event.comment.body, '@claude') && | |
| (github.event.comment.author_association == 'OWNER' || | |
| github.event.comment.author_association == 'MEMBER' || | |
| github.event.comment.author_association == 'COLLABORATOR')) || | |
| (github.event_name == 'pull_request_review' && | |
| contains(github.event.review.body, '@claude') && | |
| (github.event.review.author_association == 'OWNER' || | |
| github.event.review.author_association == 'MEMBER' || | |
| github.event.review.author_association == 'COLLABORATOR')) || | |
| (github.event_name == 'issues' && | |
| (contains(github.event.issue.body, '@claude') || | |
| contains(github.event.issue.title, '@claude')) && | |
| (github.event.issue.author_association == 'OWNER' || | |
| github.event.issue.author_association == 'MEMBER' || | |
| github.event.issue.author_association == 'COLLABORATOR')) |
| contents: read | ||
| pull-requests: read | ||
| issues: read | ||
| id-token: write |
There was a problem hiding this comment.
This workflow grants id-token: write even though it already authenticates via CLAUDE_CODE_OAUTH_TOKEN. If OIDC is not strictly required by the action, drop id-token: write to follow least-privilege—especially important for workflows triggered by comments/issues.
| id-token: write |
| - name: Run Claude Code Review | ||
| id: claude-review | ||
| uses: anthropics/claude-code-action@v1 | ||
| with: | ||
| claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} |
There was a problem hiding this comment.
This runs on pull_request events but relies on secrets.CLAUDE_CODE_OAUTH_TOKEN. For PRs from forks, GitHub does not provide repository secrets to pull_request workflows, so the job will fail (or be skipped unpredictably) for external contributions. Add an explicit guard like if: github.event.pull_request.head.repo.full_name == github.repository (or similar), or switch to a safe pull_request_target pattern with strict checkout/permission hardening if you need to support forks.
| contents: read | ||
| pull-requests: read | ||
| issues: read | ||
| id-token: write |
There was a problem hiding this comment.
This workflow requests id-token: write permission. If the action doesn’t explicitly require OIDC, removing this permission reduces blast radius in case the action or plugins are compromised.
| id-token: write |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
3 issues found across 2 files
Confidence score: 4/5
- Security hardening gaps in workflow triggers and action pinning are the main concerns; they pose supply-chain/abuse risk rather than immediate functional breakage
- Restricting who can trigger the Claude workflow would reduce token exposure from untrusted actors in
.github/workflows/claude.yml - Pay close attention to
.github/workflows/claude.yml,.github/workflows/claude-code-review.yml- tighten trigger permissions and pin actions to SHAs.
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/claude-code-review.yml">
<violation number="1" location=".github/workflows/claude-code-review.yml:30">
P2: Pin GitHub Actions to specific commit SHAs to avoid supply-chain risks from mutable tags.</violation>
<violation number="2" location=".github/workflows/claude-code-review.yml:36">
P2: Pin this action to a specific commit SHA instead of a floating tag.</violation>
</file>
<file name=".github/workflows/claude.yml">
<violation number="1" location=".github/workflows/claude.yml:15">
P2: Restrict the trigger to trusted users (OWNER/MEMBER/COLLABORATOR) to prevent untrusted actors from invoking the action and consuming the Claude token.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
|
|
||
| - name: Run Claude Code Review | ||
| id: claude-review | ||
| uses: anthropics/claude-code-action@v1 |
There was a problem hiding this comment.
P2: Pin this action to a specific commit SHA instead of a floating tag.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/claude-code-review.yml, line 36:
<comment>Pin this action to a specific commit SHA instead of a floating tag.</comment>
<file context>
@@ -0,0 +1,44 @@
+
+ - name: Run Claude Code Review
+ id: claude-review
+ uses: anthropics/claude-code-action@v1
+ with:
+ claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
</file context>
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
P2: Pin GitHub Actions to specific commit SHAs to avoid supply-chain risks from mutable tags.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/claude-code-review.yml, line 30:
<comment>Pin GitHub Actions to specific commit SHAs to avoid supply-chain risks from mutable tags.</comment>
<file context>
@@ -0,0 +1,44 @@
+
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v4
+ with:
+ fetch-depth: 1
</file context>
|
|
||
| jobs: | ||
| claude: | ||
| if: | |
There was a problem hiding this comment.
P2: Restrict the trigger to trusted users (OWNER/MEMBER/COLLABORATOR) to prevent untrusted actors from invoking the action and consuming the Claude token.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/claude.yml, line 15:
<comment>Restrict the trigger to trusted users (OWNER/MEMBER/COLLABORATOR) to prevent untrusted actors from invoking the action and consuming the Claude token.</comment>
<file context>
@@ -0,0 +1,50 @@
+
+jobs:
+ claude:
+ if: |
+ (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
+ (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
</file context>
User description
Description
Summarize your changes and the motivation behind them.
Fixes #(issue)
Type of change
Testing
How did you test your changes?
Checklist
See the developer guide for full coding standards.
GPU changes (expand if you modified
src/simulation/)CodeAnt-AI Description
Add automated Claude bot workflows to run code reviews and respond to @claude mentions
What Changed
Impact
✅ Faster review feedback on new or updated pull requests✅ Automated responses when contributors tag @claude in issues and PR discussions✅ Fewer manual review tasks for routine code review and triage💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.
Summary by CodeRabbit