Conversation
There was a problem hiding this comment.
Pull request overview
Adds GitHub Actions workflows to integrate Anthropic Claude Code into the repo, enabling (1) on-demand runs when @claude is mentioned and (2) automatic PR code review runs.
Changes:
- Added a workflow to run Claude Code when
@claudeappears in issue/PR comments, reviews, or issue text. - Added a workflow to run a Claude “code review” plugin automatically on PR lifecycle events.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| .github/workflows/claude.yml | New workflow that triggers Claude Code runs based on @claude mentions in issues/PR comments/reviews. |
| .github/workflows/claude-code-review.yml | New workflow that runs an automated Claude-based code review plugin on PR events. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| permissions: | ||
| contents: read | ||
| pull-requests: read | ||
| issues: read | ||
| id-token: write |
There was a problem hiding this comment.
The workflow permissions are read-only (issues: read, pull-requests: read, contents: read), but the PR description says Claude will be able to respond to mentions and create comments/branches/commits. If the action is expected to post back to PRs/issues (and especially to push branches/commits), the job needs the corresponding issues: write / pull-requests: write (and possibly contents: write) permissions; otherwise it will be unable to perform those operations with GITHUB_TOKEN.
|
|
||
| - name: Run Claude Code | ||
| id: claude | ||
| uses: anthropics/claude-code-action@v1 |
There was a problem hiding this comment.
For supply-chain hardening, consider pinning third-party actions (notably anthropics/claude-code-action) to a commit SHA instead of a mutable tag like @v1. This reduces the risk of upstream tag retargeting impacting your workflow.
| uses: anthropics/claude-code-action@v1 | |
| uses: anthropics/claude-code-action@<COMMIT-SHA> |
| on: | ||
| pull_request: | ||
| types: [opened, synchronize, ready_for_review, reopened] | ||
| # Optional: Only run on specific file changes |
There was a problem hiding this comment.
This workflow runs on every PR open/sync/reopen. For PRs coming from forks, secrets.ANTHROPIC_API_KEY won’t be available, so the job will fail/no-op and still consume CI capacity. Consider gating the job to same-repo PRs (e.g., github.event.pull_request.head.repo.full_name == github.repository) and/or skipping when the API key secret isn’t present.
| permissions: | ||
| contents: read | ||
| pull-requests: read | ||
| issues: read | ||
| id-token: write |
There was a problem hiding this comment.
The job permissions are read-only, which means the default GITHUB_TOKEN cannot publish a PR review/comment. If the intent is for the code-review plugin to leave feedback on the PR (as opposed to only emitting logs), it will need pull-requests: write (and potentially issues: write) permissions.
|
|
||
| - name: Run Claude Code Review | ||
| id: claude-review | ||
| uses: anthropics/claude-code-action@v1 |
There was a problem hiding this comment.
For supply-chain hardening, consider pinning anthropics/claude-code-action@v1 to a specific commit SHA. This avoids unexpected behavior changes if the upstream tag is moved.
| uses: anthropics/claude-code-action@v1 | |
| uses: anthropics/claude-code-action@0123456789abcdef0123456789abcdef01234567 |
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | ||
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) |
There was a problem hiding this comment.
The job can be triggered by any user who can open an issue or post a comment containing @claude. Since this workflow uses a paid secret (ANTHROPIC_API_KEY) and provides the model repo/issue context, it should be gated by the author’s trust level (e.g., author_association in OWNER|MEMBER|COLLABORATOR, or a specific allowlist) to prevent untrusted users from triggering runs.
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | |
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) | |
| ( | |
| github.event_name == 'issue_comment' && | |
| contains(github.event.comment.body, '@claude') && | |
| ( | |
| github.event.comment.author_association == 'OWNER' || | |
| github.event.comment.author_association == 'MEMBER' || | |
| github.event.comment.author_association == 'COLLABORATOR' | |
| ) | |
| ) || | |
| ( | |
| github.event_name == 'pull_request_review_comment' && | |
| contains(github.event.comment.body, '@claude') && | |
| ( | |
| github.event.comment.author_association == 'OWNER' || | |
| github.event.comment.author_association == 'MEMBER' || | |
| github.event.comment.author_association == 'COLLABORATOR' | |
| ) | |
| ) || | |
| ( | |
| github.event_name == 'pull_request_review' && | |
| contains(github.event.review.body, '@claude') && | |
| ( | |
| github.event.review.author_association == 'OWNER' || | |
| github.event.review.author_association == 'MEMBER' || | |
| github.event.review.author_association == 'COLLABORATOR' | |
| ) | |
| ) || | |
| ( | |
| github.event_name == 'issues' && | |
| ( | |
| contains(github.event.issue.body, '@claude') || | |
| contains(github.event.issue.title, '@claude') | |
| ) && | |
| ( | |
| github.event.issue.author_association == 'OWNER' || | |
| github.event.issue.author_association == 'MEMBER' || | |
| github.event.issue.author_association == 'COLLABORATOR' | |
| ) | |
| ) |
🤖 Installing Claude Code GitHub App
This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.
What is Claude Code?
Claude Code is an AI coding agent that can help with:
How it works
Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.
Important Notes
Security
There's more information in the Claude Code action repo.
After merging this PR, let's try mentioning @claude in a comment on any PR to get started!