Add Claude Code GitHub Workflow

[SippieCup]

Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(pnpm run build),Bash(pnpm run lint),Bash(pnpm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

Summary by CodeRabbit

• Chores
  • Added GitHub Actions workflows for automated code review integration
  • Configured CI/CD automation to run on pull request and comment events

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 825d5720-7eb8-47f8-99b9-2ba3a339e6a8

📥 Commits

Reviewing files that changed from the base of the PR and between 0b5e17b and 03d8950.

📒 Files selected for processing (2)

• .github/workflows/claude-code-review.yml
• .github/workflows/claude.yml

---

📝 Walkthrough

Walkthrough

Two new GitHub Actions workflows integrated Claude AI code review into pull request and comment-based triggers. The workflows invoke the Claude Code action with OAuth authentication to provide automated code review capabilities upon PR events and @claude mentions.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflows .github/workflows/claude-code-review.yml, .github/workflows/claude.yml	Added two new workflow files: one triggers on PR events (opened, synchronize, ready_for_review, reopened) and runs the Claude Code Review action; the other triggers on issue/PR comments and events containing @claude mentions and runs the Claude Code action. Both workflows authenticate via CLAUDE_CODE_OAUTH_TOKEN and include permissions for reading repository contents and pull requests.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Code reviews hop in with Claude so bright,
Workflows triggered by mentions and PR might,
GitHub Actions dance, authentication flows true,
Automated wisdom in files both new! ✨

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch add-claude-github-actions-1772838528670

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Adds GitHub Actions workflows to integrate the Anthropic Claude Code GitHub Action into the repo, enabling automated agent runs either via @claude mentions or PR-triggered code review runs.

Changes:

• Added a comment-/issue-/review-triggered workflow that runs when @claude is mentioned.
• Added an always-on PR workflow intended to run an automated Claude-based code review.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
.github/workflows/claude.yml	Adds an @claude-mention-triggered Claude Code workflow for issues/comments/reviews.
.github/workflows/claude-code-review.yml	Adds a PR-event-triggered Claude Code “code review” workflow using a review plugin.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

PR description says the Claude workflow “runs automatically whenever Claude is mentioned in PR or issue comments”, but this workflow is triggered unconditionally on PR lifecycle events (opened/synchronize/ready_for_review/reopened) and doesn’t look for an @claude mention. Either update the PR description to reflect the always-on PR review behavior, or add filtering (if/paths/author filters) so it matches the described trigger model.

[Copilot]

The job-level if only checks for an @claude mention, so anyone who can open an issue or comment (including external users) can trigger this workflow and consume the CLAUDE_CODE_OAUTH_TOKEN secret. This contradicts the PR description (“Only users with write access … can trigger the workflow”) and is a security/cost-control risk. Add an authorization gate to the if (e.g., restrict to trusted author_association values and/or query the repo collaborator permission via the GitHub API) before invoking the action.

Suggested change

	(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
	(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
	(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
	(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
	(
	github.event_name == 'issue_comment' &&
	contains(github.event.comment.body, '@claude') &&
	contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
	) ||
	(
	github.event_name == 'pull_request_review_comment' &&
	contains(github.event.comment.body, '@claude') &&
	contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
	) ||
	(
	github.event_name == 'pull_request_review' &&
	contains(github.event.review.body, '@claude') &&
	contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association)
	) ||
	(
	github.event_name == 'issues' &&
	(
	contains(github.event.issue.body, '@claude') ||
	contains(github.event.issue.title, '@claude')
	) &&
	contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association)
	)

[Copilot]

This workflow runs on every PR open/sync/etc, but it requires secrets.CLAUDE_CODE_OAUTH_TOKEN. For PRs from forks, GitHub won’t provide repository secrets to pull_request workflows, so this will reliably fail (and may create a failing required check). Add a job if to skip forked PRs (e.g., github.event.pull_request.head.repo.full_name == github.repository) or switch to pull_request_target with appropriate hardening if you intend to support forks.