Add Claude Code GitHub Workflow

[MarjovanLier]

User description

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code documentation.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

---

PR Type

enhancement, other

---

Description

• Add GitHub Actions workflow to enable Claude Code integration

• Trigger workflow on @claude mentions in issues, PRs, and comments

• Securely use Anthropic API key from GitHub secrets

• Restrict workflow execution to users with write access

---

Changes walkthrough 📝

	Relevant files
Enhancement	claude.yml Add Claude Code GitHub Actions workflow                                    .github/workflows/claude.yml Introduces a new workflow for Claude Code integration Triggers on @claude mentions in issues, PRs, and comments Configures permissions and secure API key usage Uses the anthropics/claude-code-action@beta GitHub Action +37/-0

---

Need help?

Type /help how to ... in the comments thread for any questions about Qodo Merge usage.

Check out the documentation for more information.

Summary by CodeRabbit

• Chores
  • Introduced a new GitHub Actions workflow that responds to "@claude" mentions in issues, comments, and pull request reviews to automate related tasks.

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow named "Claude Code" has been introduced. This workflow triggers on specific GitHub events involving comments, issues, and pull request reviews that mention "@claude". It checks out the repository and runs the "anthropics/claude-code-action@beta" action using an Anthropic API key from repository secrets.

Changes

File(s)	Change Summary
.github/workflows/claude.yml	Added a workflow to trigger the Claude Code GitHub Action on specific events mentioning "@claude".

Sequence Diagram(s)

sequenceDiagram
    participant GitHub User
    participant GitHub Actions
    participant Claude Code Action

    GitHub User->>GitHub Actions: Create comment/issue/PR with "@claude"
    GitHub Actions->>Claude Code Action: Trigger workflow, checkout repo, run action
    Claude Code Action->>GitHub Actions: Process request using Anthropic API key
    GitHub Actions->>GitHub User: Respond with action results

Loading

Note

⚡️ AI Code Reviews for VS Code, Cursor, Windsurf

CodeRabbit now has a plugin for VS Code, Cursor and Windsurf. This brings AI code reviews directly in the code editor. Each commit is reviewed immediately, finding bugs before the PR is raised. Seamless context handoff to your AI code agent ensures that you can easily incorporate review feedback.
Learn more here.

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[qodo-code-review]

Changelog updates: 🔄

2025-05-23 *

Added

• Added Claude Code GitHub workflow for AI-assisted code reviews and development

to commit the new content to the CHANGELOG.md file, please type:
'/update_changelog --pr_update_changelog.push_changelog_changes=true'

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Add write permissions Add pull-requests: write and issues: write permissions to allow Claude to respond to comments and issues. Currently, Claude can only read but not write responses. .github/workflows/claude.yml [21-25] permissions: contents: read - pull-requests: read - issues: read + pull-requests: write + issues: write id-token: write Apply / Chat Suggestion importance[1-10]: 8 __ Why: Granting write permissions for pull-requests and issues is important if the Claude action needs to post comments or update issues/PRs, which is likely for an interactive bot; this change directly enables required functionality.	Medium
General	Improve repository context Increase the fetch-depth to provide Claude with more repository context. A value of 1 only fetches the latest commit, which may be insufficient for meaningful code analysis. .github/workflows/claude.yml [27-30] - name: Checkout repository uses: actions/checkout@v4 with: - fetch-depth: 1 + fetch-depth: 0 Apply / Chat Suggestion importance[1-10]: 6 __ Why: Increasing fetch-depth to 0 allows the action to access the full repository history, which can improve analysis quality, but is not strictly necessary for all use cases and may increase workflow time.	Low
More

[qodo-code-review]

Manual-approval option for PR-Agent is disabled. You can enable it via a configuration file

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 98.80%. Comparing base (d24e598) to head (26dbdca).
Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##               main      #44   +/-   ##
=========================================
  Coverage     98.80%   98.80%           
  Complexity       26       26           
=========================================
  Files             1        1           
  Lines            84       84           
=========================================
  Hits             83       83           
  Misses            1        1           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull Request Overview

This PR adds a GitHub Actions workflow to integrate Claude Code into the repository, enabling automated responses and code reviews via @claude mentions.

• Adds a new workflow file (.github/workflows/claude.yml) that triggers on various GitHub events when @claude is mentioned.
• Configures secure usage of the Anthropic API key and restricts workflow execution to users with write access.

[qodo-code-review]

CI Feedback 🧐

(Feedback updated until commit 26dbdca)

A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

Action: claude

Failed stage: Run Claude Code [❌]

Failure summary: The action failed because it was unable to exchange the OIDC token for a GitHub app token. The operation attempted 3 times (lines 173-179) but consistently received a "401 Unauthorized" error. This authentication failure prevented the workflow from proceeding further, resulting in the error message "Failed to setup GitHub token" (line 180).

Relevant error logs: 1: ##[group]Runner Image Provisioner 2: Hosted Compute Agent ... 158: shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0} 159: env: 160: TRIGGER_PHRASE: @claude 161: ASSIGNEE_TRIGGER: 162: ALLOWED_TOOLS: 163: CUSTOM_INSTRUCTIONS: 164: DIRECT_PROMPT: 165: OVERRIDE_GITHUB_TOKEN: 166: GITHUB_RUN_ID: 15206890863 167: ##[endgroup] 168: Requesting OIDC token... 169: Attempt 1 of 3... 170: OIDC token successfully obtained 171: Exchanging OIDC token for app token... 172: Attempt 1 of 3... 173: Attempt 1 failed: App token exchange failed: 401 Unauthorized 174: Retrying in 5 seconds... 175: Attempt 2 of 3... 176: Attempt 2 failed: App token exchange failed: 401 Unauthorized 177: Retrying in 10 seconds... 178: Attempt 3 of 3... 179: Attempt 3 failed: App token exchange failed: 401 Unauthorized 180: ##[error]Failed to setup GitHub token: Error: Operation failed after 3 attempts. Last error: App token exchange failed: 401 Unauthorized 181: ##[error]Process completed with exit code 1. 182: ##[group]Run curl -L \

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

.github/workflows/claude.yml (2)

1-12: Well-defined workflow triggers
You’ve covered core events (issue comments, PR review comments, issues opened/assigned, PR reviews). Consider adding a workflow_dispatch trigger for manual runs and easier testing without a real comment.

---

32-37: Verify secret configuration and rotation
Ensure that ANTHROPIC_API_KEY is added under repository secrets and has a rotation policy. Optionally, you could expose it via an env: block for clarity:

env:
  ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d24e598 and 26dbdca.

📒 Files selected for processing (1)

• .github/workflows/claude.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: guardrails/scan
• GitHub Check: Codacy Static Code Analysis

🔇 Additional comments (1)

.github/workflows/claude.yml (1)

27-31: Checkout step is good
Using actions/checkout@v4 with fetch-depth: 1 ensures speed and minimal history. If Claude ever needs deeper context, you can adjust or remove fetch-depth, but this setup is solid.

[coderabbitai]

⚠️ Potential issue

Grant write permissions for repository changes
The action needs to create branches, commits, and comments, but you’ve limited contents, issues, and pull-requests to read-only. Update the permissions block to include write access:

permissions:
  contents: write
  issues: write
  pull-requests: write
  id-token: write

🤖 Prompt for AI Agents

In .github/workflows/claude.yml around lines 21 to 25, the permissions for
contents, issues, and pull-requests are set to read-only, but the action
requires write access to create branches, commits, and comments. Update the
permissions block to set contents, issues, and pull-requests to write instead of
read, while keeping id-token as write.

[coderabbitai]

🛠️ Refactor suggestion

Enforce author_association checks for security
Per the PR objectives, only users with write access should trigger Claude. Right now any mention of @claude fires the job. Enhance the if condition to also verify author_association (e.g. OWNER / MEMBER / COLLABORATOR) on github.event.comment.author_association, github.event.issue.author_association, and github.event.review.user.association to block untrusted actors.

🤖 Prompt for AI Agents

In .github/workflows/claude.yml around lines 15 to 20, the current if condition
triggers the job on any mention of '@claude' without checking the author's
association, which can allow untrusted users to run the job. Update the if
condition to include checks that the author_association is one of OWNER, MEMBER,
or COLLABORATOR by verifying github.event.comment.author_association,
github.event.issue.author_association, and github.event.review.user.association
accordingly. This will restrict triggering to trusted users only.