Add Claude Code GitHub Workflow

[jbearak]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

Summary by CodeRabbit

• Chores
  • Added GitHub Actions workflow for automated code review integration
  • Added GitHub Actions workflow to enable Claude Code collaboration features triggered by comments and review events
  • Configured necessary repository permissions and authentication for workflow execution

[coderabbitai]

📝 Walkthrough

Walkthrough

Two new GitHub Actions workflows are added to enable automated code review and Claude Code integration. The claude-code-review.yml workflow triggers on pull request events, while claude.yml activates on issue and pull request comments/reviews containing the @claude tag.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflows .github/workflows/claude-code-review.yml, .github/workflows/claude.yml	Added two new workflow files to enable Claude-powered code review automation and Claude Code integration. Both workflows configure repository permissions, checkout code, and invoke Claude actions with OAuth token authentication. The code-review workflow triggers on PR events, while the main Claude workflow responds to tagged comments and reviews.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A rabbit hops through workflows new,
Claude Code Review—a splendid view!
Automation blooms with every PR,
No more delays, just smooth CI—brrr!
Smart reviews hop in, quick and bright,
Making code quality just right! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add Claude Code GitHub Workflow' accurately reflects the main changes in the PR, which adds two new GitHub Actions workflows for Claude Code integration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch add-claude-github-actions-1770482479650

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In @.github/workflows/claude-code-review.yml:
- Around line 13-41: The claude-review job currently runs for forked PRs which
lack secrets and will fail; add a fork guard to the job (the job with id/name
"claude-review") so it only runs when the PR originates from the same
repository. Modify the job-level condition (the job that contains the "Run
Claude Code Review" step and uses anthropics/claude-code-action@v1) to include
an if expression that checks the PR head repo equals the base repo (e.g.,
compare github.event.pull_request.head.repo.full_name to github.repository or
similar) so the job is skipped for forked PRs.
- Around line 22-41: Update the GitHub Actions permissions block so the claude
review action can post comments: change the permissions keys "contents",
"pull-requests", and "issues" from read to write in the permissions mapping,
keeping "id-token: write" as-is; ensure this change is applied before the
"steps" block and that the "Run Claude Code Review" step (id: claude-review,
uses: anthropics/claude-code-action@v1) now runs with the elevated permissions.

In @.github/workflows/claude.yml:
- Around line 13-41: The job "claude" if-condition is too permissive; tighten it
by adding author-association and bot-exclusion checks for each event branch so
only trusted human contributors can trigger runs. Update the existing multi-line
if to require e.g. github.event.comment.author_association in
('OWNER','MEMBER','COLLABORATOR') (or similar trusted values) and
github.event.comment.user.type != 'Bot' for comment-based branches, and the
analogous github.event.review.author_association / github.event.review.user.type
checks for pull_request_review and pull_request_review_comment branches, plus
github.event.issue.author_association and github.event.issue.user.type for
issues; keep the existing contains(..., '@claude') checks but combine them with
these new gates in the job "claude" if expression.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Skip runs on forked PRs to avoid failed checks.

pull_request workflows from forks won’t get secrets, so this job will fail (and can block external contributors if the check is required). Add a fork guard to skip the job for forked PRs.

🔧 Suggested guard

 jobs:
   claude-review:
+    if: github.event.pull_request.head.repo.full_name == github.repository

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	jobs:
	claude-review:
	# Optional: Filter by PR author
	# if: |
	# github.event.pull_request.user.login == 'external-contributor' ||
	# github.event.pull_request.user.login == 'new-developer' ||
	# github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
	runs-on: ubuntu-latest
	permissions:
	contents: read
	pull-requests: read
	issues: read
	id-token: write
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	fetch-depth: 1
	- name: Run Claude Code Review
	id: claude-review
	uses: anthropics/claude-code-action@v1
	with:
	claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
	plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
	plugins: 'code-review@claude-code-plugins'
	prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'
	jobs:
	claude-review:
	if: github.event.pull_request.head.repo.full_name == github.repository
	# Optional: Filter by PR author
	# if: |
	# github.event.pull_request.user.login == 'external-contributor' ||
	# github.event.pull_request.user.login == 'new-developer' ||
	# github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
	runs-on: ubuntu-latest
	permissions:
	contents: read
	pull-requests: read
	issues: read
	id-token: write
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	fetch-depth: 1
	- name: Run Claude Code Review
	id: claude-review
	uses: anthropics/claude-code-action@v1
	with:
	claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
	plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
	plugins: 'code-review@claude-code-plugins'
	prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'

🤖 Prompt for AI Agents

In @.github/workflows/claude-code-review.yml around lines 13 - 41, The
claude-review job currently runs for forked PRs which lack secrets and will
fail; add a fork guard to the job (the job with id/name "claude-review") so it
only runs when the PR originates from the same repository. Modify the job-level
condition (the job that contains the "Run Claude Code Review" step and uses
anthropics/claude-code-action@v1) to include an if expression that checks the PR
head repo equals the base repo (e.g., compare
github.event.pull_request.head.repo.full_name to github.repository or similar)
so the job is skipped for forked PRs.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

anthropics claude-code-action GitHub permissions requirements

💡 Result:

For anthropics/claude-code-action, the GitHub permissions requirements depend on whether you’re configuring a GitHub App (recommended) and/or what your workflow permissions: are.

1) If you create a custom GitHub App (or are validating what it needs)

Set these Repository permissions to Read & Write: Contents, Issues, Pull requests. [1]

2) In your GitHub Actions workflow (permissions: block)

At minimum, grant: contents: write, pull-requests: write, issues: write. [1]

If you use AWS Bedrock or Google Vertex AI via GitHub OIDC, also grant: id-token: write. [1]

Sources:
[1] Anthropic Claude Code docs — “Claude Code GitHub Actions” (permissions + example workflow permissions block).

---

🌐 Web query:

claude-code-action v1 required GitHub token scopes

💡 Result:

For anthropics/claude-code-action@v1, the GitHub token it uses (whether that’s the workflow’s GITHUB_TOKEN or a GitHub App installation token you pass via github_token) needs permissions equivalent to:

• Contents: read & write (modify files / push commits) (docs.anthropic.com)
• Issues: read & write (read/respond to issues & comments) (docs.anthropic.com)
• Pull requests: read & write (read/respond to PRs, create/update PRs) (docs.anthropic.com)

Additionally, if you’re authenticating to a cloud provider via GitHub OIDC (e.g., Bedrock/Vertex setups), your workflow permissions also need:

• id-token: write (github.com)

Citations:

• 1: https://docs.anthropic.com/en/docs/claude-code/github-actions?utm_source=openai
• 2: https://docs.anthropic.com/en/docs/claude-code/github-actions?utm_source=openai
• 3: https://docs.anthropic.com/en/docs/claude-code/github-actions?utm_source=openai
• 4: Generated workflows missing id-token:write permission and trigger on bot's own comments anthropics/claude-code-action#625

---

Update GitHub token permissions — action requires write access to post review comments.

The anthropics/claude-code-action@v1 action requires write permissions to function. Per Anthropic's documentation, the workflow needs:

• contents: write (not just read)
• pull-requests: write (not just read)
• issues: write (not just read)

🔧 Required permissions update

     permissions:
-      contents: read
-      pull-requests: read
-      issues: read
+      contents: write
+      pull-requests: write
+      issues: write
       id-token: write

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	permissions:
	contents: read
	pull-requests: read
	issues: read
	id-token: write
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	fetch-depth: 1
	- name: Run Claude Code Review
	id: claude-review
	uses: anthropics/claude-code-action@v1
	with:
	claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
	plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
	plugins: 'code-review@claude-code-plugins'
	prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'
	permissions:
	contents: write
	pull-requests: write
	issues: write
	id-token: write
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	fetch-depth: 1
	- name: Run Claude Code Review
	id: claude-review
	uses: anthropics/claude-code-action@v1
	with:
	claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
	plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
	plugins: 'code-review@claude-code-plugins'
	prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'

🤖 Prompt for AI Agents

In @.github/workflows/claude-code-review.yml around lines 22 - 41, Update the
GitHub Actions permissions block so the claude review action can post comments:
change the permissions keys "contents", "pull-requests", and "issues" from read
to write in the permissions mapping, keeping "id-token: write" as-is; ensure
this change is applied before the "steps" block and that the "Run Claude Code
Review" step (id: claude-review, uses: anthropics/claude-code-action@v1) now
runs with the elevated permissions.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Lock down @claude triggers to trusted users and ignore bots.

As written, anyone who can comment can trigger a run that uses secrets. That’s a significant security and cost risk for public repos, and it also risks bot self-trigger loops. Add an author-association gate (and exclude bot senders).

🔒 Suggested authorization gate

 jobs:
   claude:
-    if: |
-      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
-      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+    if: |
+      (
+        (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
+        (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
+        (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
+        (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+      ) && (
+        github.event.sender.type != 'Bot' &&
+        contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'),
+          github.event.comment.author_association ||
+          github.event.review.author_association ||
+          github.event.issue.author_association
+        )
+      )

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	jobs:
	claude:
	if: |
	(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
	(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
	(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
	(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
	runs-on: ubuntu-latest
	permissions:
	contents: read
	pull-requests: read
	issues: read
	id-token: write
	actions: read # Required for Claude to read CI results on PRs
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	fetch-depth: 1
	- name: Run Claude Code
	id: claude
	uses: anthropics/claude-code-action@v1
	with:
	claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
	# This is an optional setting that allows Claude to read CI results on PRs
	additional_permissions: |
	actions: read
	jobs:
	claude:
	if: |
	(
	(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
	(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
	(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
	(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
	) && (
	github.event.sender.type != 'Bot' &&
	contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'),
	github.event.comment.author_association ||
	github.event.review.author_association ||
	github.event.issue.author_association
	)
	)
	runs-on: ubuntu-latest
	permissions:
	contents: read
	pull-requests: read
	issues: read
	id-token: write
	actions: read # Required for Claude to read CI results on PRs
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	fetch-depth: 1
	- name: Run Claude Code
	id: claude
	uses: anthropics/claude-code-action@v1
	with:
	claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
	# This is an optional setting that allows Claude to read CI results on PRs
	additional_permissions: |
	actions: read

🤖 Prompt for AI Agents

In @.github/workflows/claude.yml around lines 13 - 41, The job "claude"
if-condition is too permissive; tighten it by adding author-association and
bot-exclusion checks for each event branch so only trusted human contributors
can trigger runs. Update the existing multi-line if to require e.g.
github.event.comment.author_association in ('OWNER','MEMBER','COLLABORATOR') (or
similar trusted values) and github.event.comment.user.type != 'Bot' for
comment-based branches, and the analogous github.event.review.author_association
/ github.event.review.user.type checks for pull_request_review and
pull_request_review_comment branches, plus github.event.issue.author_association
and github.event.issue.user.type for issues; keep the existing contains(...,
'@claude') checks but combine them with these new gates in the job "claude" if
expression.