Skip to content

Add Claude Code GitHub Workflow #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
congmnguyen merged 2 commits into from
Feb 21, 2026
Merged

Add Claude Code GitHub Workflow #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4fa41ed
"Claude PR Assistant workflow"
congmnguyen Feb 21, 2026
ee6f43f
"Claude Code Review workflow"
congmnguyen Feb 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions .github/workflows/claude-code-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
name: Claude Code Review

on:
pull_request:
types: [opened, synchronize, ready_for_review, reopened]
# Optional: Only run on specific file changes
# paths:
# - "src/**/*.ts"
# - "src/**/*.tsx"
# - "src/**/*.js"
# - "src/**/*.jsx"

jobs:
claude-review:
# Optional: Filter by PR author
# if: |
# github.event.pull_request.user.login == 'external-contributor' ||
# github.event.pull_request.user.login == 'new-developer' ||
# github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
Comment on lines +15 to +19
Copy link

Copilot AI Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The claude-code-review workflow is configured to run automatically on ALL pull requests (opened, synchronize, ready_for_review, reopened) without any filtering. This means it will trigger Claude Code review for every PR, including this one and any future PRs.

Consider whether this is the intended behavior, as it could:

  1. Consume API quota/credits for every PR
  2. Add noise to PRs where automated review isn't needed
  3. Slow down the PR process

The commented-out filter examples (lines 15-19) suggest filtering by PR author or contributor type might be desired. Consider enabling one of these filters or adding a label-based trigger to give more control over when automated reviews run.

Suggested change
# Optional: Filter by PR author
# if: |
# github.event.pull_request.user.login == 'external-contributor' ||
# github.event.pull_request.user.login == 'new-developer' ||
# github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
# Only run for PRs opened by internal collaborators to limit quota usage.
if: >
github.event.pull_request.author_association == 'MEMBER' ||
github.event.pull_request.author_association == 'OWNER' ||
github.event.pull_request.author_association == 'COLLABORATOR'

Copilot uses AI. Check for mistakes.

runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
Copy link

Copilot AI Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The claude-code-review workflow is missing write permissions required for posting review comments. The workflow needs to be able to write comments to pull requests to provide code review feedback.

Add the following permission to enable the workflow to post review comments:

  • pull-requests: write

Without this permission, the code review functionality will not work as intended since Claude won't be able to post its review feedback.

Suggested change
pull-requests: read
pull-requests: write

Copilot uses AI. Check for mistakes.
issues: read
id-token: write

steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1

- name: Run Claude Code Review
id: claude-review
uses: anthropics/claude-code-action@v1
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
plugins: 'code-review@claude-code-plugins'
prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'
# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
# or https://code.claude.com/docs/en/cli-reference for available options

50 changes: 50 additions & 0 deletions .github/workflows/claude.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
name: Claude Code
Copy link

Copilot AI Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description mentions adding "a GitHub Actions workflow" (singular) but actually adds two separate workflow files: claude.yml and claude-code-review.yml. The description should be updated to accurately reflect that two workflows are being added, and explain the difference between them:

  • claude.yml: Triggered by @claude mentions in comments
  • claude-code-review.yml: Automatically runs code review on all new/updated PRs

This discrepancy could cause confusion about what's actually being installed.

Copilot uses AI. Check for mistakes.

on:
issue_comment:
types: [created]
pull_request_review_comment:
types: [created]
issues:
types: [opened, assigned]
pull_request_review:
types: [submitted]

jobs:
claude:
if: |
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
Comment on lines +16 to +19
Copy link

Copilot AI Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description states "Only users with write access to the repository can trigger the workflow" as a security feature. However, the workflow configuration doesn't enforce this restriction. The conditional check only verifies if '@claude' is mentioned, not the author's permissions.

By default, GitHub Actions triggered by issue_comment or pull_request_review_comment events can be triggered by any user who can comment on the PR/issue, which includes users without write access in public repositories. To enforce the security requirement mentioned in the description, you should add an additional condition to check the user's permissions, such as:

github.event.comment.user.login == github.repository_owner || github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'COLLABORATOR'

Suggested change
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
(
github.event_name == 'issue_comment' &&
contains(github.event.comment.body, '@claude') &&
(
github.event.comment.user.login == github.repository_owner ||
github.event.comment.author_association == 'OWNER' ||
github.event.comment.author_association == 'MEMBER' ||
github.event.comment.author_association == 'COLLABORATOR'
)
) ||
(
github.event_name == 'pull_request_review_comment' &&
contains(github.event.comment.body, '@claude') &&
(
github.event.comment.user.login == github.repository_owner ||
github.event.comment.author_association == 'OWNER' ||
github.event.comment.author_association == 'MEMBER' ||
github.event.comment.author_association == 'COLLABORATOR'
)
) ||
(
github.event_name == 'pull_request_review' &&
contains(github.event.review.body, '@claude') &&
(
github.event.review.user.login == github.repository_owner ||
github.event.review.author_association == 'OWNER' ||
github.event.review.author_association == 'MEMBER' ||
github.event.review.author_association == 'COLLABORATOR'
)
) ||
(
github.event_name == 'issues' &&
(
contains(github.event.issue.body, '@claude') ||
contains(github.event.issue.title, '@claude')
) &&
(
github.event.issue.user.login == github.repository_owner ||
github.event.issue.author_association == 'OWNER' ||
github.event.issue.author_association == 'MEMBER' ||
github.event.issue.author_association == 'COLLABORATOR'
)
)

Copilot uses AI. Check for mistakes.
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
issues: read
Comment on lines +22 to +24
Copy link

Copilot AI Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow has insufficient permissions for Claude to perform its intended actions. According to the PR description, "Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits." However, the current permissions only grant read access (contents: read, pull-requests: read, issues: read).

To enable Claude to create comments, branches, and commits, you need to add write permissions:

  • contents: write (for creating branches and commits)
  • pull-requests: write (for creating PR comments)
  • issues: write (for creating issue comments)

Without these permissions, Claude will not be able to execute on requests that involve making changes to the repository.

Suggested change
contents: read
pull-requests: read
issues: read
contents: write
pull-requests: write
issues: write

Copilot uses AI. Check for mistakes.
id-token: write
actions: read # Required for Claude to read CI results on PRs
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1

- name: Run Claude Code
id: claude
uses: anthropics/claude-code-action@v1
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

# This is an optional setting that allows Claude to read CI results on PRs
additional_permissions: |
actions: read

Comment on lines +39 to +42
Copy link

Copilot AI Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The 'actions: read' permission is already granted at the job level (line 26), so specifying it again in additional_permissions (line 41) is redundant. The additional_permissions field appears to be meant for permissions beyond what's already granted at the job level.

Consider removing the additional_permissions block since the required permission is already set at the job level, or clarify if this configuration has a specific purpose in the claude-code-action implementation.

Suggested change
# This is an optional setting that allows Claude to read CI results on PRs
additional_permissions: |
actions: read

Copilot uses AI. Check for mistakes.
# Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.
# prompt: 'Update the pull request description to include a summary of changes.'

# Optional: Add claude_args to customize behavior and configuration
# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
# or https://code.claude.com/docs/en/cli-reference for available options
# claude_args: '--allowed-tools Bash(gh pr:*)'