Add Claude Code GitHub Workflow#251
Conversation
WalkthroughAdds two new GitHub Actions workflows under .github/workflows: one auto-reviews pull requests on open/sync, and one runs on mentions of @claude in issues/PR reviews/comments. Both check out the repo and invoke a Claude code-action with an OAuth token. Optional configuration fields are present but commented out. Changes
Sequence Diagram(s)sequenceDiagram
autonumber
participant Dev as Developer
participant GH as GitHub (PR Event)
participant WF as Workflow: Claude Code Review
participant ACT as claude-code-action
participant CL as Claude
Dev->>GH: Open/Synchronize Pull Request
GH-->>WF: Trigger workflow
WF->>ACT: Checkout repo and run action (token, prompt)
ACT->>CL: Submit context and prompt
CL-->>ACT: Generate review output
ACT-->>WF: Post review/comment
sequenceDiagram
autonumber
participant User as User
participant GH as GitHub (Issue/PR/Comment)
participant WF as Workflow: Claude Code
participant ACT as claude-code-action
participant CL as Claude
User->>GH: Create/Update issue or review/comment with @claude
GH-->>WF: Trigger on mention (filters applied)
WF->>ACT: Checkout repo and run action (token, permissions)
ACT->>CL: Send event context/instructions
CL-->>ACT: Generate response
ACT-->>WF: Post reply to thread
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes Poem
Tip 🔌 Remote MCP (Model Context Protocol) integration is now available!Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats. ✨ Finishing Touches🧪 Generate unit tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. CodeRabbit Commands (Invoked using PR/Issue comments)Type Other keywords and placeholders
CodeRabbit Configuration File (
|
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (8)
.github/workflows/claude-code-review.yml (4)
21-26: Drop id-token: write unless OIDC is actually used.If the action doesn’t mint OIDC tokens (and relies on claude_code_oauth_token), remove id-token: write to follow least-privilege.
Apply this diff:
permissions: contents: read pull-requests: read issues: read - id-token: write
40-52: Model pin (optional): keep commented example up to date with a valid model name.If you plan to switch models later, ensure the example points to a currently supported model tag/version to avoid confusion during copy/paste.
15-20: Clean up trailing spaces and extra blank line to satisfy yamllint.There are trailing spaces and an extra blank line at EOF flagged by yamllint.
Apply this diff to trim whitespace and the final blank line:
- # github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR' - + # github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR' @@ - + @@ - + @@ - + @@ - + @@ - +Also applies to: 27-27, 51-51, 56-56, 64-64, 67-67, 70-70, 73-73, 78-79
13-21: Optional: add concurrency to avoid duplicate runs on rapid pushes.Prevents overlapping reviews on quick successive commits.
Apply this diff:
jobs: claude-review: + concurrency: + group: claude-review-${{ github.workflow }}-${{ github.event.pull_request.number }} + cancel-in-progress: true # Optional: Filter by PR author.github/workflows/claude.yml (4)
21-27: Least-privilege: drop id-token: write if unused.If the action doesn’t need OIDC, remove id-token: write.
Apply this diff:
permissions: contents: read pull-requests: read issues: read - id-token: write actions: read # Required for Claude to read CI results on PRs
39-41: Remove redundant additional_permissions; job-level already grants actions: read.You already set actions: read at job permissions; keeping both is redundant.
Apply this diff:
- # This is an optional setting that allows Claude to read CI results on PRs - additional_permissions: | - actions: read + # CI results are already readable via job-level permissions: actions: read
13-21: Optional: add concurrency to cancel in-flight runs per thread.Prevents overlapping Claude runs when multiple comments arrive quickly.
Apply this diff:
jobs: claude: + concurrency: + group: claude-${{ github.workflow }}-${{ github.run_id }}-${{ github.event_name }}-${{ github.event.issue.number || github.event.pull_request.number || github.run_id }} + cancel-in-progress: true if: |
42-42: Trim trailing spaces and extra blank line to satisfy yamllint.Minor whitespace nits flagged by yamllint.
Apply this diff:
- + @@ - + @@ - + @@ - + @@ - + @@ - + - +Also applies to: 45-45, 48-48, 51-51, 54-54, 60-60, 64-65
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
💡 Knowledge Base configuration:
- MCP integration is disabled by default for public repositories
- Jira integration is disabled by default for public repositories
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (2)
.github/workflows/claude-code-review.yml(1 hunks).github/workflows/claude.yml(1 hunks)
🧰 Additional context used
🪛 YAMLlint (1.37.1)
.github/workflows/claude-code-review.yml
[error] 20-20: trailing spaces
(trailing-spaces)
[error] 27-27: trailing spaces
(trailing-spaces)
[error] 51-51: trailing spaces
(trailing-spaces)
[error] 56-56: trailing spaces
(trailing-spaces)
[error] 64-64: trailing spaces
(trailing-spaces)
[error] 67-67: trailing spaces
(trailing-spaces)
[error] 70-70: trailing spaces
(trailing-spaces)
[error] 73-73: trailing spaces
(trailing-spaces)
[warning] 78-78: too many blank lines (1 > 0)
(empty-lines)
.github/workflows/claude.yml
[error] 42-42: trailing spaces
(trailing-spaces)
[error] 45-45: trailing spaces
(trailing-spaces)
[error] 48-48: trailing spaces
(trailing-spaces)
[error] 51-51: trailing spaces
(trailing-spaces)
[error] 54-54: trailing spaces
(trailing-spaces)
[error] 60-60: trailing spaces
(trailing-spaces)
[warning] 64-64: too many blank lines (1 > 0)
(empty-lines)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Analyze (go)
- GitHub Check: Build (Go stable, OS ubuntu-latest)
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 1 | ||
|
|
||
| - name: Run Claude Code Review | ||
| id: claude-review | ||
| uses: anthropics/claude-code-action@beta | ||
| with: | ||
| claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Pin GitHub Actions to a commit SHA to prevent supply-chain attacks.
Avoid floating tags (beta, v4). Pin both actions to immutable SHAs.
Apply this diff:
- - name: Checkout repository
- uses: actions/checkout@v4
+ - name: Checkout repository
+ uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.1.7
@@
- - name: Run Claude Code Review
+ - name: Run Claude Code Review
id: claude-review
- uses: anthropics/claude-code-action@beta
+ uses: anthropics/claude-code-action@<commit-sha>Replace with the latest published commit for anthropics/claude-code-action you intend to trust.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 | |
| - name: Run Claude Code Review | |
| id: claude-review | |
| uses: anthropics/claude-code-action@beta | |
| with: | |
| claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.1.7 | |
| with: | |
| fetch-depth: 1 | |
| - name: Run Claude Code Review | |
| id: claude-review | |
| uses: anthropics/claude-code-action@<commit-sha> | |
| with: | |
| claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} |
🤖 Prompt for AI Agents
.github/workflows/claude-code-review.yml lines 28-38: the workflow uses floating
tags (actions/checkout@v4 and anthropics/claude-code-action@beta), which are
vulnerable to supply-chain changes; replace both uses entries with the
corresponding immutable commit SHAs (e.g., actions/checkout@<commit-sha> and
anthropics/claude-code-action@<commit-sha>) by looking up the latest trusted
commit SHAs in each repo's releases/tags and substituting them, keeping the
existing inputs (like fetch-depth and claude_code_oauth_token) unchanged.
| if: | | ||
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | ||
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) | ||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Guard against self-trigger loops and bot noise.
Add actor checks so comments created by bots don’t re-trigger the workflow.
Apply this diff:
claude:
- if: |
+ if: |
+ github.actor != 'github-actions[bot]' &&
+ (github.event.sender.login != 'github-actions[bot]') &&
+ (github.event.sender.login != 'claude-bot') &&
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| if: | | |
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | |
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) | |
| runs-on: ubuntu-latest | |
| claude: | |
| if: | | |
| github.actor != 'github-actions[bot]' && | |
| (github.event.sender.login != 'github-actions[bot]') && | |
| (github.event.sender.login != 'claude-bot') && | |
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | |
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) | |
| runs-on: ubuntu-latest |
🤖 Prompt for AI Agents
In .github/workflows/claude.yml around lines 15 to 20, the workflow condition
can be re-triggered by bot-created comments; update the if expression to also
exclude runs when the event actor is a bot by adding actor checks (e.g., ensure
github.actor != 'github-actions[bot]' and !contains(github.actor, '[bot]')) so
the workflow only proceeds for human actors; modify the combined condition to
AND these actor checks with the existing event/body contains checks.
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 1 | ||
|
|
||
| - name: Run Claude Code | ||
| id: claude | ||
| uses: anthropics/claude-code-action@beta | ||
| with: | ||
| claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Pin GitHub Actions to a commit SHA to prevent supply-chain attacks.
Same rationale as the other workflow: pin both actions.
Apply this diff:
- - name: Checkout repository
- uses: actions/checkout@v4
+ - name: Checkout repository
+ uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.1.7
@@
- - name: Run Claude Code
+ - name: Run Claude Code
id: claude
- uses: anthropics/claude-code-action@beta
+ uses: anthropics/claude-code-action@<commit-sha>Replace with the vetted commit from anthropics/claude-code-action.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 | |
| - name: Run Claude Code | |
| id: claude | |
| uses: anthropics/claude-code-action@beta | |
| with: | |
| claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | |
| - name: Checkout repository | |
| uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.1.7 | |
| with: | |
| fetch-depth: 1 | |
| - name: Run Claude Code | |
| id: claude | |
| uses: anthropics/claude-code-action@<commit-sha> # replace <commit-sha> with the vetted commit SHA | |
| with: | |
| claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} |
🤖 Prompt for AI Agents
In .github/workflows/claude.yml around lines 28 to 37, both GitHub Actions are
referenced by tag (actions/checkout@v4 and anthropics/claude-code-action@beta);
pin each to a specific commit SHA to prevent supply-chain attacks by replacing
the action references with their vetted commit SHAs (e.g.,
actions/checkout@<checkout-commit-sha> and
anthropics/claude-code-action@<claude-commit-sha>), ensuring you substitute
<claude-commit-sha> with the vetted commit from anthropics/claude-code-action
and commit the change.
🤖 Installing Claude Code GitHub App
This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.
What is Claude Code?
Claude Code is an AI coding agent that can help with:
How it works
Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.
Important Notes
Security
There's more information in the Claude Code action repo.
After merging this PR, let's try mentioning @claude in a comment on any PR to get started!
Summary by CodeRabbit
New Features
Chores