Skip to content

Add Claude Code GitHub Workflow #273

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 31, 2025
Merged

Add Claude Code GitHub Workflow #273

merged 2 commits into from
Jul 31, 2025

Conversation

kubbot
Copy link
Contributor

@kubbot kubbot commented Jul 31, 2025
edited by coderabbitai bot
Loading

User description

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

  • Bug fixes and improvements
  • Documentation updates
  • Implementing new features
  • Code reviews and suggestions
  • Writing tests
  • And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

  • This workflow won't take effect until this PR is merged
  • @claude mentions won't work until after the merge is complete
  • The workflow runs automatically whenever Claude is mentioned in PR or issue comments
  • Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

  • Our Anthropic API key is securely stored as a GitHub Actions secret
  • Only users with write access to the repository can trigger the workflow
  • All Claude runs are stored in the GitHub Actions run history
  • Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
  • We can add more allowed tools by adding them to the workflow file like:
allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

Description

  • Introduced two new GitHub Actions workflows for Claude Code integration and review.
  • The claude-code-review.yml workflow triggers on pull request events to facilitate code reviews.
  • The claude.yml workflow allows interaction with Claude through issue comments and pull request reviews.
  • Both workflows enhance collaboration and code quality by leveraging AI assistance.

Changes walkthrough 📝

Relevant files
Enhancement
claude-code-review.yml
Add Claude Code Review Workflow                                                   

.github/workflows/claude-code-review.yml

  • Added a new GitHub Actions workflow for Claude Code Review.
  • Configured triggers for pull request events.
  • Defined steps for checking out the repository and running Claude Code
    Review.
    		•  +78/-0   
    claude.yml
    Add Claude Code Integration Workflow                                         

    .github/workflows/claude.yml

  • Introduced a new GitHub Actions workflow for Claude Code integration.
  • Set up triggers for various GitHub events including issue comments and
    pull request reviews.
  • Configured steps for checking out the repository and executing Claude
    Code.
    		•  +64/-0   

    💡 Penify usage:
    Comment /help on the PR to get a list of all available Penify tools and their descriptions

    Summary by CodeRabbit

    • New Features
      • Introduced automated code review for pull requests using Claude AI, providing feedback on code quality, potential bugs, performance, security, and test coverage.
      • Enabled Claude AI assistant to respond to specific trigger phrases in issue and pull request comments, allowing interactive assistance directly within GitHub.

    @kubbot kubbot requested a review from cubxxw as a code owner July 31, 2025 11:55
    @github-project-automation github-project-automation bot moved this to Backlog in nexus Jul 31, 2025
    @penify-dev penify-dev bot added the enhancement New feature or request label Jul 31, 2025
    @claude Claude
    Copy link
    Contributor

    claude bot commented Jul 31, 2025
    edited
    Loading

    Claude finished @kubbot's task —— View job

    Code Review for Claude Code GitHub Workflows

    Todo List:

    • Read and analyze .github/workflows/claude-code-review.yml
    • Read and analyze .github/workflows/claude.yml
    • Review code quality and best practices
    • Check for potential bugs or issues
    • Assess performance considerations
    • Evaluate security concerns
    • Review test coverage and workflow reliability
    • Provide constructive feedback and recommendations

    📋 Review Summary

    Both workflow files are well-structured and follow GitHub Actions best practices. The implementation is clean and uses appropriate permissions. Here's my detailed analysis:

    Strengths

    1. Security Best Practices

      • Proper use of GitHub secrets for API tokens
      • Minimal required permissions granted (read-only access)
      • Uses id-token: write for secure authentication
      • No hardcoded secrets or sensitive data

    2. Code Quality

      • Clean, readable YAML structure
      • Comprehensive commenting with examples
      • Proper indentation and formatting
      • Uses latest stable action versions (actions/checkout@v4)

    3. Flexibility & Configuration

      • Extensive optional configurations commented out for easy customization
      • Multiple trigger conditions properly handled
      • Good separation of concerns between the two workflows

    🔍 Detailed Analysis

    .github/workflows/claude-code-review.yml

    • Purpose: Automated PR reviews on opened and synchronize events
    • Triggers: Lines 4-5 properly configured for PR events
    • Permissions: Lines 22-26 follow least-privilege principle
    • Configuration: Comprehensive optional settings (lines 40-77)

    .github/workflows/claude.yml

    • Purpose: Interactive Claude integration via @claude mentions
    • Triggers: Lines 4-11 cover all relevant GitHub events
    • Conditional Logic: Lines 15-19 properly filter for @claude mentions
    • Permissions: Lines 21-26 include necessary actions: read for CI integration

    ⚠️ Minor Considerations

    1. Performance Optimization

      • Both workflows use fetch-depth: 1 (lines 32 in both files) which is optimal for performance
      • Consider adding concurrency groups to prevent multiple simultaneous runs on rapid pushes

    2. Documentation

      • Excellent inline documentation with examples
      • Consider adding a brief description comment at the top of each file

    🛡️ Security Assessment

    1. Token Management: ✅ Secure

      • Uses GitHub secrets properly
      • No token exposure in logs

    2. Permissions: ✅ Appropriate

      • Minimal necessary permissions
      • Read-only access to repository content

    3. Third-party Actions: ✅ Trusted

      • Uses official actions (actions/checkout@v4)
      • Uses official Anthropic action (anthropics/claude-code-action@beta)

    🧪 Test Coverage & Reliability

    • Workflow Testing: Consider testing these workflows in a separate branch before merging
    • Error Handling: The action itself should handle errors, but no explicit error handling in workflows
    • Monitoring: GitHub Actions provides built-in logging and monitoring

    📝 Recommendations

    1. Add Concurrency Control (Optional)

      concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

    2. Consider Environment-Specific Configuration

      • Add environment variables for different deployment contexts
      • Consider different behavior for main vs feature branches

    3. Add Workflow Descriptions

      name: Claude Code Review
description: "Automated code review using Claude AI for pull requests"

    🎯 Overall Assessment

    Grade: A- (Excellent)

    This is a high-quality implementation that follows GitHub Actions best practices. The code is secure, well-documented, and ready for production use. The extensive optional configurations show thoughtful planning for various use cases.

    No blocking issues found. The workflows are ready to merge and will enhance the development workflow significantly.

    @penify-dev Penify.dev
    Copy link
    Contributor

    penify-dev bot commented Jul 31, 2025

    PR Review 🔍

    ⏱️ Estimated effort to review [1-5]

    4, because the PR introduces two new GitHub Actions workflows with multiple configuration options and potential customizations, which require careful consideration and understanding of the integration with Claude Code.

    🧪 Relevant tests

    No

    ⚡ Possible issues

    Configuration Complexity: The workflows have many optional configurations that could lead to confusion or misconfiguration if not documented properly.

    Permissions: The permissions granted to the workflows should be reviewed to ensure they align with security best practices.

    🔒 Security concerns

    No

    @qodo-merge-pro Qodo Merge Pro
    Copy link

    PR Reviewer Guide 🔍

    Here are some key observations to aid the review process:

    ⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪
    🧪 No relevant tests
    🔒 Security concerns

    API token exposure:
    The workflows rely on CLAUDE_CODE_OAUTH_TOKEN secret which needs to be properly configured. If this token is compromised, it could lead to unauthorized API usage. Additionally, the workflows run on external PRs without proper access controls, potentially allowing abuse of the Claude API by unauthorized users. The broad permissions granted (contents, pull-requests, issues, actions read) could expose sensitive repository information to the Claude service.

    ⚡ Recommended focus areas for review

    Security Risk

    The workflow runs on all PRs without any restrictions on who can trigger it. This could allow external contributors to potentially abuse the Claude API quota or access sensitive repository information through automated reviews.

     
    claude-review:
  # Optional: Filter by PR author
  # if: |
  #   github.event.pull_request.user.login == 'external-contributor' ||
  #   github.event.pull_request.user.login == 'new-developer' ||
  #   github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
    Permission Scope

    The workflow grants broad permissions including contents read, pull-requests read, and actions read. Consider if all these permissions are necessary for the Claude integration functionality.

     
    permissions:
  contents: read
  pull-requests: read
  issues: read
  id-token: write
  actions: read # Required for Claude to read CI results on PRs

    @kubbot kubbot enabled auto-merge July 31, 2025 11:56
    @coderabbitai coderabbitai
    Copy link
    Contributor

    coderabbitai bot commented Jul 31, 2025
    edited
    Loading

    Caution

    Review failed

    The pull request is closed.

    Walkthrough

    Two new GitHub Actions workflow files are introduced: one automates AI-driven code review on pull requests, and the other enables Claude AI interactions triggered by specific phrases in comments, issues, and reviews. Both workflows use the anthropics/claude-code-action@beta action and are configured with customizable options and permissions.

    Changes

    Cohort / File(s) Change Summary
    Claude Code Review Workflow
    .github/workflows/claude-code-review.yml    		 Adds a workflow triggered on pull request events to perform automated code reviews using Claude AI, with customizable prompts and permissions.
    Claude AI Interaction Workflow
    .github/workflows/claude.yml    		 Introduces a workflow triggered by "@claude" in comments, issues, or reviews, invoking Claude AI for interactive responses, with optional configurations.

    Estimated code review effort

    🎯 1 (Trivial) | ⏱️ ~3 minutes

    Poem

    In the burrows of code, where pull requests sprout,
    Claude hops in to review, removing all doubt.
    With workflows anew, and triggers so keen,
    AI lends a paw, keeping code clean.
    So let the rabbits cheer, as Claude takes the floor—
    Our burrow is safer than ever before! 🐇✨

    Note

    ⚡️ Unit Test Generation is now available in beta!

    Learn more here, or try it out under "Finishing Touches" below.

    📜 Recent review details

    Configuration used: CodeRabbit UI
    Review profile: CHILL
    Plan: Pro

    📥 Commits

    Reviewing files that changed from the base of the PR and between 4154992 and cfb084f.

    📒 Files selected for processing (2)
    • .github/workflows/claude-code-review.yml (1 hunks)
    • .github/workflows/claude.yml (1 hunks)
    ✨ Finishing Touches
    🧪 Generate unit tests
    • Create PR with unit tests
    • Post copyable unit tests in a comment
    • Commit unit tests in branch add-claude-github-actions-1753962858137

    Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

    ❤️ Share
    🪧 Tips

    Chat

    There are 3 ways to chat with CodeRabbit:

    • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
      • I pushed a fix in commit <commit_id>, please review it.
      • Explain this complex logic.
      • Open a follow-up GitHub issue for this discussion.
    • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
      • @coderabbitai explain this code block.
      • @coderabbitai modularize this function.
    • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
      • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
      • @coderabbitai read src/utils.ts and explain its main purpose.
      • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
      • @coderabbitai help me debug CodeRabbit configuration file.

    Support

    Need help? Create a ticket on our support page for assistance with any issues or questions.

    Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

    CodeRabbit Commands (Invoked using PR comments)

    • @coderabbitai pause to pause the reviews on a PR.
    • @coderabbitai resume to resume the paused reviews.
    • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
    • @coderabbitai full review to do a full review from scratch and review all the files again.
    • @coderabbitai summary to regenerate the summary of the PR.
    • @coderabbitai generate docstrings to generate docstrings for this PR.
    • @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
    • @coderabbitai generate unit tests to generate unit tests for this PR.
    • @coderabbitai resolve resolve all the CodeRabbit review comments.
    • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
    • @coderabbitai help to get help.

    Other keywords and placeholders

    • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
    • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
    • Add @coderabbitai anywhere in the PR title to generate the title automatically.

    CodeRabbit Configuration File (.coderabbit.yaml)

    • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
    • Please see the configuration documentation for more information.
    • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

    Documentation and Community

    • Visit our Documentation for detailed information on how to use CodeRabbit.
    • Join our Discord Community to get help, request features, and share feedback.
    • Follow us on X/Twitter for updates and announcements.

    @penify-dev Penify.dev
    Copy link
    Contributor

    penify-dev bot commented Jul 31, 2025

    PR Code Suggestions ✨

    CategorySuggestion                                                                                                                                    Score
    Security
    Explicitly define the actions permission to prevent access issues

    Ensure that the actions permission is explicitly defined in the permissions section to
    avoid potential access issues.

    .github/workflows/claude.yml [26]

    -#      actions: read # Required for Claude to read CI results on PRs
+actions: read
    Suggestion importance[1-10]: 9

    Why: Explicitly defining the actions permission is crucial for ensuring that the workflow has the necessary access to read CI results, which enhances security and functionality.

    		9
    Performance
    Specify paths to limit workflow runs to relevant file changes

    Consider specifying the paths to limit the workflow to only relevant files, which can
    improve performance and reduce unnecessary runs.

    .github/workflows/claude-code-review.yml [6-11]

    -# Optional: Only run on specific file changes
-# paths:
-#   - "src/**/*.ts"
-#   - "src/**/*.tsx"
-#   - "src/**/*.js"
-#   - "src/**/*.jsx"
+paths:
+  - "src/**/*.ts"
+  - "src/**/*.tsx"
+  - "src/**/*.js"
+  - "src/**/*.jsx"
    Suggestion importance[1-10]: 8

    Why: Specifying paths can significantly improve performance by limiting workflow runs to relevant file changes, which is a good practice in CI/CD configurations.

    		8
    Enhancement
    Add a condition to skip reviews for certain PR titles

    It may be beneficial to include a condition to skip the review for specific titles to
    avoid unnecessary reviews on work-in-progress PRs.

    .github/workflows/claude-code-review.yml [74-77]

    -# Optional: Skip review for certain conditions
-# if: |
-#   !contains(github.event.pull_request.title, '[skip-review]') &&
-#   !contains(github.event.pull_request.title, '[WIP]')
+if: |
+  !contains(github.event.pull_request.title, '[skip-review]') &&
+  !contains(github.event.pull_request.title, '[WIP]')
    Suggestion importance[1-10]: 7

    Why: Adding a condition to skip reviews for certain PR titles can help avoid unnecessary reviews, making the workflow more efficient.

    		7
    Best practice
    Add a timeout setting to prevent jobs from running indefinitely

    Consider adding a timeout-minutes setting to the job to prevent it from running
    indefinitely.

    .github/workflows/claude.yml [14]

    -# Optional: Add a timeout for the job
+timeout-minutes: 10
    Suggestion importance[1-10]: 6

    Why: Adding a timeout setting is a good practice to prevent jobs from running indefinitely, but it is not as critical as the other suggestions.

    		6

    @qodo-merge-pro Qodo Merge Pro
    Copy link

    CI Feedback 🧐

    A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

    Action: Complete CI/CD Pipeline

    Failed stage: Format code [❌]

    Failure summary:

    The action failed due to code formatting issues detected by the linter. Specifically:
    • 426
    formatting errors were found across multiple files
    • 352 errors were automatically fixed, but 74
    errors remain unfixed
    • Key issues include trailing whitespace (W291) and blank lines containing
    whitespace (W293)
    • Examples of problematic files:
    - app/tests/test_ai_processing_status_bug.py
    (line 8: trailing whitespace, line 33: whitespace in blank line)
    -
    scripts/migrate_segments_to_content_segments.py (line 131: whitespace in blank line)
    • The
    backend-format make target failed with exit code 1
    • Some fixes require the --unsafe-fixes option to
    be enabled

    Relevant error logs: 
    1:  ##[group]Runner Image Provisioner
2:  Hosted Compute Agent
...

1088:  app/tests/test_ai_processing_status_bug.py:8:64: W291 Trailing whitespace
1089:  |
1090:  7 | Problem: 
1091:  8 | - Content upload → basic processing → status set to "completed" 
1092:  |                                                                ^ W291
1093:  9 | - AI processing starts AFTER "completed" status is set
1094:  10 | - Users see "completed" while AI analysis is still running
1095:  |
1096:  = help: Remove trailing whitespace
1097:  app/tests/test_ai_processing_status_bug.py:33:1: W293 Blank line contains whitespace
1098:  |
1099:  31 |         """
1100:  32 |         Test that processing_status is NOT set to 'completed' before AI processing.
1101:  33 |         
1102:  | ^^^^^^^^ W293
1103:  34 |         This test should FAIL initially, demonstrating the bug.
1104:  35 |         After fixing the bug, it should PASS.
...

1542:  | ^^^^^^^^ W293
1543:  128 |         RETURN NEW;
1544:  129 |     END;
1545:  |
1546:  = help: Remove whitespace from blank line
1547:  scripts/migrate_segments_to_content_segments.py:131:1: W293 Blank line contains whitespace
1548:  |
1549:  129 |     END;
1550:  130 |     $$ LANGUAGE plpgsql;
1551:  131 |     
1552:  | ^^^^ W293
1553:  132 |     -- 创建触发器
1554:  133 |     DROP TRIGGER IF EXISTS trigger_populate_content_segments ON segments;
1555:  |
1556:  = help: Remove whitespace from blank line
1557:  Found 426 errors (352 fixed, 74 remaining).
1558:  No fixes available (38 hidden fixes can be enabled with the `--unsafe-fixes` option).
1559:  make: *** [Makefile:382: backend-format] Error 1
1560:  ❌ Error fixing code issues
1561:  ##[error]Process completed with exit code 2.
1562:  Post job cleanup.

    @qodo-merge-pro Qodo Merge Pro
    Copy link

    PR Code Suggestions ✨

    Explore these optional code suggestions:

    CategorySuggestion                                                                                                                                    Impact
    Possible issue
    Add write permissions for comments

    The workflow needs write permissions to post review comments on pull requests.
    Without pull-requests: write, Claude cannot create comments with its review
    feedback.

    .github/workflows/claude-code-review.yml [22-26]

     permissions:
   contents: read
-  pull-requests: read
+  pull-requests: write
   issues: read
   id-token: write
    • Apply / Chat
    Suggestion importance[1-10]: 10

    __

    Why: The suggestion correctly identifies that pull-requests: write permission is essential for the workflow to post review comments, fixing a critical issue that would cause it to fail.

    		High
    Add write permissions for responses

    Claude needs write permissions to respond to @claude mentions with comments. The
    current read-only permissions will prevent Claude from posting responses.

    .github/workflows/claude.yml [21-26]

     permissions:
   contents: read
-  pull-requests: read
-  issues: read
+  pull-requests: write
+  issues: write
   id-token: write
   actions: read # Required for Claude to read CI results on PRs
    • Apply / Chat
    Suggestion importance[1-10]: 10

    __

    Why: The suggestion correctly identifies that pull-requests: write and issues: write permissions are essential for the workflow to post comments, fixing a critical issue that would cause it to fail.

    		High
    General
    Remove redundant permission declaration

    The additional_permissions field is redundant since actions: read is already
    declared in the job permissions block above. This duplication could cause
    confusion or conflicts.

    .github/workflows/claude.yml [40-41]

    -additional_permissions: |
-  actions: read
+# This is an optional setting that allows Claude to read CI results on PRs
+# additional_permissions already covered in job permissions above
    • Apply / Chat
    Suggestion importance[1-10]: 5

    __

    Why: The suggestion correctly points out that the additional_permissions input is redundant as the permission is already granted at the job level, improving code clarity and maintainability.

    		Low
    • More

    @kubbot kubbot added this pull request to the merge queue Jul 31, 2025
    Merged via the queue into main with commit 7f18d8c Jul 31, 2025
    13 of 17 checks passed
    @kubbot kubbot deleted the add-claude-github-actions-1753962858137 branch July 31, 2025 11:56
    @github-project-automation github-project-automation bot moved this from Backlog to Done in nexus Jul 31, 2025
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Reviewers

    @cubxxw cubxxw cubxxw approved these changes

    Assignees
    No one assigned
    Labels
    enhancement New feature or request Possible security concern Review effort [1-5]: 4 Review effort 2/5
    Projects
    nexus
    Status: Done
    Milestone
    No milestone
    Development

    Successfully merging this pull request may close these issues.
    2 participants
    @kubbot @cubxxw