Add Claude Code GitHub Workflow

[congmnguyen]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

[Copilot]

Pull request overview

This PR adds GitHub Actions workflows to integrate Claude Code, an AI coding agent, into the repository. The integration enables automated code reviews and allows developers to invoke Claude by mentioning @claude in comments. However, the PR introduces two workflows rather than one as described, and has several critical security and permission configuration issues that must be addressed.

Changes:

• Added claude.yml workflow that triggers when @claude is mentioned in PR/issue comments, reviews, or when issues are opened/assigned
• Added claude-code-review.yml workflow that automatically runs code reviews on all pull requests (opened, synchronized, ready_for_review, reopened)

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.

File	Description
.github/workflows/claude.yml	Workflow for @claude mention-triggered interactions with read-only permissions and no user authorization checks
.github/workflows/claude-code-review.yml	Automatic PR code review workflow with read-only permissions, runs on all PRs without filtering

Comments suppressed due to low confidence (2)

.github/workflows/claude.yml:51

• There are extra blank lines at the end of the file. This should be reduced to a single blank line at the end of the file for consistency and to follow common YAML formatting conventions.
  .github/workflows/claude-code-review.yml:45
• There are extra blank lines at the end of the file. This should be reduced to a single blank line at the end of the file for consistency and to follow common YAML formatting conventions.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The PR description states "Only users with write access to the repository can trigger the workflow" as a security feature. However, the workflow configuration doesn't enforce this restriction. The conditional check only verifies if '@claude' is mentioned, not the author's permissions.

By default, GitHub Actions triggered by issue_comment or pull_request_review_comment events can be triggered by any user who can comment on the PR/issue, which includes users without write access in public repositories. To enforce the security requirement mentioned in the description, you should add an additional condition to check the user's permissions, such as:

github.event.comment.user.login == github.repository_owner || github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'COLLABORATOR'

Suggested change

	(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
	(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
	(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
	(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
	(
	github.event_name == 'issue_comment' &&
	contains(github.event.comment.body, '@claude') &&
	(
	github.event.comment.user.login == github.repository_owner ||
	github.event.comment.author_association == 'OWNER' ||
	github.event.comment.author_association == 'MEMBER' ||
	github.event.comment.author_association == 'COLLABORATOR'
	)
	) ||
	(
	github.event_name == 'pull_request_review_comment' &&
	contains(github.event.comment.body, '@claude') &&
	(
	github.event.comment.user.login == github.repository_owner ||
	github.event.comment.author_association == 'OWNER' ||
	github.event.comment.author_association == 'MEMBER' ||
	github.event.comment.author_association == 'COLLABORATOR'
	)
	) ||
	(
	github.event_name == 'pull_request_review' &&
	contains(github.event.review.body, '@claude') &&
	(
	github.event.review.user.login == github.repository_owner ||
	github.event.review.author_association == 'OWNER' ||
	github.event.review.author_association == 'MEMBER' ||
	github.event.review.author_association == 'COLLABORATOR'
	)
	) ||
	(
	github.event_name == 'issues' &&
	(
	contains(github.event.issue.body, '@claude') ||
	contains(github.event.issue.title, '@claude')
	) &&
	(
	github.event.issue.user.login == github.repository_owner ||
	github.event.issue.author_association == 'OWNER' ||
	github.event.issue.author_association == 'MEMBER' ||
	github.event.issue.author_association == 'COLLABORATOR'
	)
	)

[Copilot]

The 'actions: read' permission is already granted at the job level (line 26), so specifying it again in additional_permissions (line 41) is redundant. The additional_permissions field appears to be meant for permissions beyond what's already granted at the job level.

Consider removing the additional_permissions block since the required permission is already set at the job level, or clarify if this configuration has a specific purpose in the claude-code-action implementation.

Suggested change

	# This is an optional setting that allows Claude to read CI results on PRs
	additional_permissions: |
	actions: read

[Copilot]

The workflow has insufficient permissions for Claude to perform its intended actions. According to the PR description, "Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits." However, the current permissions only grant read access (contents: read, pull-requests: read, issues: read).

To enable Claude to create comments, branches, and commits, you need to add write permissions:

• contents: write (for creating branches and commits)
• pull-requests: write (for creating PR comments)
• issues: write (for creating issue comments)

Without these permissions, Claude will not be able to execute on requests that involve making changes to the repository.

Suggested change

	contents: read
	pull-requests: read
	issues: read
	contents: write
	pull-requests: write
	issues: write

[Copilot]

The claude-code-review workflow is missing write permissions required for posting review comments. The workflow needs to be able to write comments to pull requests to provide code review feedback.

Add the following permission to enable the workflow to post review comments:

• pull-requests: write

Without this permission, the code review functionality will not work as intended since Claude won't be able to post its review feedback.

Suggested change

	pull-requests: read
	pull-requests: write

[Copilot]

The PR description mentions adding "a GitHub Actions workflow" (singular) but actually adds two separate workflow files: claude.yml and claude-code-review.yml. The description should be updated to accurately reflect that two workflows are being added, and explain the difference between them:

• claude.yml: Triggered by @claude mentions in comments
• claude-code-review.yml: Automatically runs code review on all new/updated PRs

This discrepancy could cause confusion about what's actually being installed.

[Copilot]

The claude-code-review workflow is configured to run automatically on ALL pull requests (opened, synchronize, ready_for_review, reopened) without any filtering. This means it will trigger Claude Code review for every PR, including this one and any future PRs.

Consider whether this is the intended behavior, as it could:

1. Consume API quota/credits for every PR
2. Add noise to PRs where automated review isn't needed
3. Slow down the PR process

The commented-out filter examples (lines 15-19) suggest filtering by PR author or contributor type might be desired. Consider enabling one of these filters or adding a label-based trigger to give more control over when automated reviews run.

Suggested change

	# Optional: Filter by PR author
	# if: |
	# github.event.pull_request.user.login == 'external-contributor' ||
	# github.event.pull_request.user.login == 'new-developer' ||
	# github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
	# Only run for PRs opened by internal collaborators to limit quota usage.
	if: >
	github.event.pull_request.author_association == 'MEMBER' ||
	github.event.pull_request.author_association == 'OWNER' ||
	github.event.pull_request.author_association == 'COLLABORATOR'