Add Claude Code GitHub Workflow (#59)

* chore(ci): add Claude PR assistant workflow

Adds a GitHub Actions workflow that triggers Claude Code when @claude
is mentioned in PR or issue comments.

* chore(ci): add Claude Code review workflow

Adds a GitHub Actions workflow that triggers Claude Code to review
PRs when requested via the review-requested event.

* fix(ci): address security and workflow review feedback

- Add author_association check to restrict Claude triggers to
  OWNER, MEMBER, and COLLABORATOR (prevents unauthorized access)
- Change issues event from 'assigned' to 'edited' (assigned was noise)
- Add concurrency groups to both workflows (prevents overlapping runs)
- Pin claude-code-action to SHA for supply-chain safety
- Make claude-code-review opt-in via 'claude-review' label

* fix(ci): add write permissions for review workflow

The claude-code-action needs write permissions to post review comments.
Changed `pull-requests` and `issues` from `read` to `write`.

* fix(ci): skip review workflow for fork PRs

Fork PRs don't receive repository secrets in `pull_request` workflows,
so the job would fail. Added guard to skip when PR head repo differs
from the base repository.

* chore(ci): use harden runner

* chore(ci): remove label gating of review

Author: boneskull

.github/workflows/claude-code-review.yml

@@ -0,0 +1,43 @@
+name: Claude Code Review
+
+on:
+  pull_request:
+    types: [opened, synchronize, ready_for_review, reopened, labeled]
+
+jobs:
+  claude-review:
+    # only run when PR is from this repository (fork PRs don't receive secrets)
+    if: |
+      github.event.pull_request.head.repo.full_name == github.repository
+    concurrency:
+      group: claude-review-${{ github.repository }}-${{ github.event.pull_request.number }}
+      cancel-in-progress: true
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude Code Review
+        id: claude-review
+        # Pinned to v1 for supply-chain safety
+        uses: anthropics/claude-code-action@f2accb9a171bd71f4b5c93bcea23876aa5244edb
+        with:
+          allowed_bots: 'renovate[bot]'
+          claude_args: |
+            --max-turns 10
+          track_progress: true
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
+          plugins: 'code-review@claude-code-plugins'
+          prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'
+          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
+          # or https://code.claude.com/docs/en/cli-reference for available options
+

.github/workflows/claude.yml

@@ -0,0 +1,70 @@
+name: Claude Code
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+  issues:
+    types: [opened, edited]
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  claude:
+    if: |
+      (github.event_name == 'issue_comment' &&
+        contains(github.event.comment.body, '@claude') &&
+        contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
+      (github.event_name == 'pull_request_review_comment' &&
+        contains(github.event.comment.body, '@claude') &&
+        contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
+      (github.event_name == 'pull_request_review' &&
+        contains(github.event.review.body, '@claude') &&
+        contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association)) ||
+      (github.event_name == 'issues' &&
+        (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) &&
+        contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association))
+    concurrency:
+      group: claude-${{ github.repository }}-${{ github.event.issue.number || github.event.pull_request.number || github.run_id }}
+      cancel-in-progress: true
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # TODO unclear if needed
+      pull-requests: write # for progress tracking
+      issues: write # for progress tracking
+      id-token: write # needed for OAUTH token
+      actions: read # Required for Claude to read CI results on PRs
+    steps:
+      - name: Harden-Runner
+        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude Code
+        id: claude
+        # Pinned to v1 for supply-chain safety
+        uses: anthropics/claude-code-action@f2accb9a171bd71f4b5c93bcea23876aa5244edb
+        with:
+          claude_args: |
+            --max-turns 10
+            --allowed-tools 'Bash(gh pr:*),Bash(make:*),Bash(go test:*),Bash(gh stack:*)'
+          track_progress: true
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          allowed_bots: 'renovate[bot]'
+          # This is an optional setting that allows Claude to read CI results on PRs
+          additional_permissions: |
+            actions: read
+
+          # Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.
+          # prompt: 'Update the pull request description to include a summary of changes.'
+
+          # Optional: Add claude_args to customize behavior and configuration
+          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
+          # or https://code.claude.com/docs/en/cli-reference for available options
+          # claude_args: '--allowed-tools Bash(gh pr:*)'