Add Claude Code GitHub Workflow#11
Conversation
There was a problem hiding this comment.
Pull request overview
Adds GitHub Actions workflows to integrate the Anthropic “Claude Code” GitHub Action into this repository, enabling automated agent runs (comment-driven and PR-driven) using a repository secret.
Changes:
- Introduces an on-demand workflow (
claude.yml) that triggers when “@claude” is detected in several event payloads. - Adds an automatic PR workflow (
claude-code-review.yml) intended to run a code-review plugin on PR lifecycle events.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
.github/workflows/claude.yml |
New workflow that runs Claude Code based on @claude detection across issue/comment/review events. |
.github/workflows/claude-code-review.yml |
New workflow that runs an automated Claude-based code review on PR open/sync/reopen events. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | ||
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) |
There was a problem hiding this comment.
The job can be triggered by anyone who can create an issue or comment containing “@claude”. Since this workflow uses a repository secret (CLAUDE_CODE_OAUTH_TOKEN), it should explicitly restrict execution to trusted actors (e.g., OWNER/MEMBER/COLLABORATOR) or otherwise verify the commenter has write permission before running.
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | |
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) | |
| (github.event_name == 'issue_comment' && | |
| contains(github.event.comment.body, '@claude') && | |
| (github.event.comment.author_association == 'OWNER' || | |
| github.event.comment.author_association == 'MEMBER' || | |
| github.event.comment.author_association == 'COLLABORATOR')) || | |
| (github.event_name == 'pull_request_review_comment' && | |
| contains(github.event.comment.body, '@claude') && | |
| (github.event.comment.author_association == 'OWNER' || | |
| github.event.comment.author_association == 'MEMBER' || | |
| github.event.comment.author_association == 'COLLABORATOR')) || | |
| (github.event_name == 'pull_request_review' && | |
| contains(github.event.review.body, '@claude') && | |
| (github.event.review.author_association == 'OWNER' || | |
| github.event.review.author_association == 'MEMBER' || | |
| github.event.review.author_association == 'COLLABORATOR')) || | |
| (github.event_name == 'issues' && | |
| (contains(github.event.issue.body, '@claude') || | |
| contains(github.event.issue.title, '@claude')) && | |
| (github.event.issue.author_association == 'OWNER' || | |
| github.event.issue.author_association == 'MEMBER' || | |
| github.event.issue.author_association == 'COLLABORATOR')) |
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | ||
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) |
There was a problem hiding this comment.
contains(github.event.review.body, '@claude') and contains(github.event.issue.body, '@claude') can fail when the body is null/empty (e.g., an approval-only review, or an issue without a description). Consider coercing to an empty string (e.g., ...body || '') before calling contains.
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | |
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) | |
| (github.event_name == 'pull_request_review' && contains(github.event.review.body || '', '@claude')) || | |
| (github.event_name == 'issues' && (contains(github.event.issue.body || '', '@claude') || contains(github.event.issue.title, '@claude'))) |
| on: | ||
| issue_comment: | ||
| types: [created] | ||
| pull_request_review_comment: | ||
| types: [created] | ||
| issues: | ||
| types: [opened, assigned] | ||
| pull_request_review: | ||
| types: [submitted] |
There was a problem hiding this comment.
The PR description says the workflow runs when Claude is mentioned in PR/issue comments, but this workflow also triggers on issues (opened/assigned) and pull_request_review (submitted). If the intent is “mention in a comment only”, consider removing those triggers or updating the description to match the actual behavior.
| on: | ||
| pull_request: | ||
| types: [opened, synchronize, ready_for_review, reopened] | ||
| # Optional: Only run on specific file changes |
There was a problem hiding this comment.
This workflow runs on every PR open/sync/reopen, which doesn’t match the PR description’s “run when @claude is mentioned” behavior and could create significant usage/cost. Consider gating execution (label, opt-in comment trigger, or author filter) if you want this to be on-demand.
| - name: Run Claude Code Review | ||
| id: claude-review | ||
| uses: anthropics/claude-code-action@v1 | ||
| with: | ||
| claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} |
There was a problem hiding this comment.
On pull_request events from forks, repository secrets (including CLAUDE_CODE_OAUTH_TOKEN) aren’t provided, so this job will fail noisily for external contributions. Consider adding an if: guard to only run when github.event.pull_request.head.repo.full_name == github.repository (and optionally when the PR is not a draft).
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| pull-requests: read | ||
| issues: read | ||
| id-token: write |
There was a problem hiding this comment.
The PR description states Claude can create comments/branches/commits, but the workflow permissions grant only read access (contents, pull-requests, issues). If the action relies on the job’s GITHUB_TOKEN for repo interactions, it won’t be able to write back results. Consider granting the minimal required write permissions (or documenting that a separate GitHub token/app is used instead).
| permissions: | ||
| contents: read | ||
| pull-requests: read | ||
| issues: read | ||
| id-token: write | ||
| actions: read # Required for Claude to read CI results on PRs |
There was a problem hiding this comment.
The PR description states Claude can create comments/branches/commits, but this job’s permissions are read-only (contents, pull-requests, issues). If the action uses the job token for posting results or creating commits, it won’t be able to do so with the current permissions. Consider granting only the specific write scopes needed (or documenting alternative auth).
🤖 Installing Claude Code GitHub App
This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.
What is Claude Code?
Claude Code is an AI coding agent that can help with:
How it works
Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.
Important Notes
Security
There's more information in the Claude Code action repo.
After merging this PR, let's try mentioning @claude in a comment on any PR to get started!