Add Claude Code GitHub Workflow #48
Conversation
|
Note Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported. |
📝 WalkthroughWalkthroughIntroduces a new GitHub Actions workflow for automated Claude-based code reviews on pull requests and updates an existing Claude workflow to adjust triggers, permissions, and token configuration, adding optional commented settings. Changes
Sequence Diagram(s)sequenceDiagram
autonumber
actor Dev as Developer
participant GH as GitHub (PR)
participant GA as GitHub Actions
participant Job as claude-code-review.yml
participant Act as anthropics/claude-code-action
participant CL as Claude Service
Dev->>GH: Open/Synchronize PR
GH-->>GA: Trigger workflow (pull_request)
GA->>Job: Run job (ubuntu-latest)
Job->>Act: Invoke action with OAuth token + prompt
Act->>CL: Submit review request (diff/context)
CL-->>Act: Analysis & review results
Act-->>GH: Post review/comments on PR
sequenceDiagram
autonumber
actor User as User
participant GH as GitHub (Issues/PR Reviews/Comments)
participant GA as GitHub Actions
participant Flow as claude.yml
participant Act as anthropics/claude-code-action
participant CL as Claude Service
User->>GH: Post content containing "@claude"
GH-->>GA: Trigger on eligible events
GA->>Flow: Evaluate if-condition on event + content
alt Condition passes
Flow->>Act: Run action with OAuth token (+optional configs)
Act->>CL: Send prompt/context
CL-->>Act: Response
Act-->>GH: Post reply/comment
else Condition fails
GA-->>User: No action
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Tip 🔌 Remote MCP (Model Context Protocol) integration is now available!Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats. ✨ Finishing Touches🧪 Generate unit tests
🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. CodeRabbit Commands (Invoked using PR/Issue comments)Type Other keywords and placeholders
Status, Documentation and Community
|
|
Changelog updates: 🔄 2025-08-22 *Added
Changed
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #48 +/- ##
===========================================
Coverage 100.00% 100.00%
Complexity 33 33
===========================================
Files 1 1
Lines 81 81
===========================================
Hits 81 81 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
PR Code Suggestions ✨Explore these optional code suggestions:
|
||||||||||||
|
Manual-approval option for PR-Agent is disabled. You can enable it via a configuration file |
|
Changelog updates: 🔄 2025-08-22 *Added
Changed
|
PR Reviewer Guide 🔍Here are some key observations to aid the review process:
|
|
Manual-approval option for PR-Agent is disabled. You can enable it via a configuration file |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/claude.yml (1)
33-36: Pin to a fixed commit SHA for Claude Code ActionNo stable semver release exists beyond the
betatag (which currently resolves tomain). To mitigate supply-chain risk, pin the action to an immutable commit SHA:• File:
.github/workflows/claude.yml(around lines 33–36)- uses: anthropics/claude-code-action@beta + uses: anthropics/claude-code-action@<COMMIT_SHA>• Fetch the latest commit SHA on
mainwith:gh api repos/anthropics/claude-code-action/git/ref/heads/main --jq '.object.sha'Replace
<COMMIT_SHA>with the returned value and commit the update.Keep an eye on the repository for an official tagged release (e.g.
v1.0.0) and upgrade once it’s available.
🧹 Nitpick comments (9)
.github/workflows/claude-code-review.yml (4)
28-33: Add concurrency to auto-cancel stale reviews on new pushes.Prevents duplicate feedback and saves API budget.
jobs: claude-review: + concurrency: + group: claude-review-${{ github.event.pull_request.number }} + cancel-in-progress: true
43-53: Tighten the direct_prompt to align with your PHP standards and expectations.Make Claude consistently enforce your house style (PER CS 2.0/PSR-12), immutability where sensible, and test expectations.
direct_prompt: | - Please review this pull request and provide feedback on: - - Code quality and best practices - - Potential bugs or issues - - Performance considerations - - Security concerns - - Test coverage - - Be constructive and helpful in your feedback. + Review this PR with focus on: + - PHP style: PER Coding Style 2.0 (PSR-12/PSR-1), naming, formatting. + - Design: SOLID, FOOP, immutability/pure functions where practical. + - Correctness: edge cases, null/empty handling, off-by-one, timezones. + - Security: injection, XSS, CSRF, path traversal, secrets/PII handling. + - Performance: N+1, hot paths, allocations; suggest simple wins. + - Tests: coverage of branches and failure paths; request missing cases. + Keep feedback concise, actionable, and code-first (include diffs where useful).I can tailor this per directory/file type if you share your project conventions.
71-73: If enabling Bash tools, sandbox aggressively.Allowing
Bash(...)grants arbitrary command exec. Keep it disabled by default; if enabling, restrict to read-only commands, set a safe working directory, and ensure no repo secrets are injected.- # allowed_tools: "Bash(npm run test),Bash(npm run lint),Bash(npm run typecheck)" + # allowed_tools: | + # Bash(npm ci --ignore-scripts --no-audit --no-fund) + # Bash(npm run -s lint) + # Bash(npm run -s test -- --reporter=min --maxWorkers=2)
20-20: Clean trailing spaces and extra blank line to satisfy YAML linting.Minor hygiene; it keeps CI quiet.
No functional change—just remove trailing spaces and the final blank line.
Also applies to: 27-27, 51-51, 56-56, 64-64, 67-67, 70-70, 73-73, 79-79
.github/workflows/claude.yml (5)
15-19: Good, targeted gating on mention content.The
if:guards are clear and avoid unnecessary runs. Consider adding a simple anti-abuse check if mention spam becomes an issue (see comment below).
28-32: Consider concurrency to cancel prior runs on rapid comment edits.Prevents duplicative replies when users edit comments quickly.
jobs: claude: + concurrency: + group: claude-${{ github.event_name }}-${{ github.event.repository?.name || 'repo' }}-${{ github.run_id }} + cancel-in-progress: trueIf you prefer per-thread grouping, derive the group from
github.event.issue.numberorgithub.event.pull_request.numberdepending on event type.
39-42: Optional knobs look good; consider enabling a safer trigger phrase and assignee gating.To prevent random mentions from triggering runs, you can require
/claudeor an assignee match.- # trigger_phrase: "/claude" + # trigger_phrase: "/claude" + - # assignee_trigger: "claude-bot" + # assignee_trigger: "claude-bot" # only respond when assignedAlso applies to: 43-45, 46-48, 49-51, 52-54, 55-60
42-42: Remove trailing spaces and the final extra blank line.Keeps YAMLlint green; no behavioral change.
Also applies to: 45-45, 48-48, 51-51, 54-54, 60-60, 64-64
21-27: Validate whetherid-token: writeis needed here.Keep it if the action mints a GitHub App token using OIDC (it likely does, given
additional_permissions). Otherwise, drop it for least privilege.
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
💡 Knowledge Base configuration:
- MCP integration is disabled by default for public repositories
- Jira integration is disabled by default for public repositories
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (2)
.github/workflows/claude-code-review.yml(1 hunks).github/workflows/claude.yml(2 hunks)
🧰 Additional context used
🪛 YAMLlint (1.37.1)
.github/workflows/claude-code-review.yml
[error] 20-20: trailing spaces
(trailing-spaces)
[error] 27-27: trailing spaces
(trailing-spaces)
[error] 51-51: trailing spaces
(trailing-spaces)
[error] 56-56: trailing spaces
(trailing-spaces)
[error] 64-64: trailing spaces
(trailing-spaces)
[error] 67-67: trailing spaces
(trailing-spaces)
[error] 70-70: trailing spaces
(trailing-spaces)
[error] 73-73: trailing spaces
(trailing-spaces)
[warning] 78-78: too many blank lines (1 > 0)
(empty-lines)
.github/workflows/claude.yml
[error] 42-42: trailing spaces
(trailing-spaces)
[error] 45-45: trailing spaces
(trailing-spaces)
[error] 48-48: trailing spaces
(trailing-spaces)
[error] 51-51: trailing spaces
(trailing-spaces)
[error] 54-54: trailing spaces
(trailing-spaces)
[error] 60-60: trailing spaces
(trailing-spaces)
[warning] 64-64: too many blank lines (1 > 0)
(empty-lines)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)
- GitHub Check: guardrails/scan
- GitHub Check: Codacy Static Code Analysis
- GitHub Check: build (8.4)
- GitHub Check: build (8.3)
🔇 Additional comments (4)
.github/workflows/claude-code-review.yml (2)
36-41: ✅ Action owner verified
The GitHub Action uses the correct repository owner (anthropics/claude-code-action), so no changes are needed to avoid 404s. You can leave the commented model example in place for future reference.
34-37: Pin Claude Code Action to Latest Stable ReleaseTo mitigate supply-chain risk, replace the mutable
@betaref with the latest semver tag (v0.0.62, released 2025-08-21):• File: .github/workflows/claude-code-review.yml (lines 34–37)
- uses: anthropics/claude-code-action@beta + uses: anthropics/claude-code-action@v0.0.62This change locks the action to a fixed, audited version and avoids unexpected updates.
.github/workflows/claude.yml (2)
33-37: Owner spelling verified – no changes neededThe GitHub repository
anthropics/claude-code-actionexists and is spelled correctly, so the workflow step should continue using theanthropicsowner as-is.– File: .github/workflows/claude.yml (lines 33–37)
– Workflow step:uses: anthropics/claude-code-action@beta
21-27: With read-only PR/Issues perms, Claude won’t be able to reply. Add scoped write via additional_permissions.You lowered job-level perms to read (good for least privilege), but the action must still obtain a token with
issues: writeand/orpull-requests: writeto post comments/reviews.Minimal change:
id-token: write actions: read # Required for Claude to read CI results on PRs @@ - name: Run Claude Code id: claude uses: anthropics/claude-code-action@beta with: claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} # This is an optional setting that allows Claude to read CI results on PRs additional_permissions: | - actions: read + actions: read + issues: write + pull-requests: writeIf you also want branch/commit writes, add
contents: writehere (and document it in the repo).Likely an incorrect or invalid review comment.
| # github.event.pull_request.user.login == 'new-developer' || | ||
| # github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR' | ||
|
|
||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Guard secrets on forked PRs to avoid failed runs.
pull_request workflows don’t expose repo secrets to forks. Add a job-level condition to only run reviews when the source repo is the same as the base. Otherwise, skip gracefully.
jobs:
claude-review:
+ if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}Optional: If you need reviews on forks, switch to pull_request_target and take strict precautions (checkout base ref, never execute fork code, and keep allowed tools disabled).
🏁 Script executed:
#!/bin/bash
set -e
workflow=".github/workflows/claude-code-review.yml"
if [ ! -f "$workflow" ]; then
echo "Error: $workflow not found"
exit 1
fi
# Print the first 200 lines of the workflow for inspection
sed -n '1,200p' "$workflow"Length of output: 3208
Guard secrets on forked pull requests
To prevent failures when CLAUDE_CODE_OAUTH_TOKEN isn’t exposed on forked PRs, add a job‐level guard so the review only runs for PRs originating in the same repo.
• File: .github/workflows/claude-code-review.yml
Location: under jobs.claude-review: (before runs-on:)
jobs:
claude-review:
+ if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
runs-on: ubuntu-latestOptional: If you need to run reviews on forked PRs, consider switching to pull_request_target, but strictly checkout the base ref and never execute untrusted code.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| runs-on: ubuntu-latest | |
| jobs: | |
| claude-review: | |
| # only run this job on PRs from the same repository so that secrets are available | |
| if: ${{ github.event.pull_request.head.repo.full_name == github.repository }} | |
| runs-on: ubuntu-latest | |
| # …rest of the job steps… |
🤖 Prompt for AI Agents
In .github/workflows/claude-code-review.yml around line 21 (jobs.claude-review
section) the job unguardedly runs on PRs which can hide CLAUDE_CODE_OAUTH_TOKEN
for forked PRs; add a job-level guard (an if condition) so the job only runs for
PRs originating from the same repository, e.g. add a condition like if:
github.event_name != 'pull_request' ||
github.event.pull_request.head.repo.full_name == github.repository before the
runs-on line to skip forked-PR runs, or alternatively switch to
pull_request_target but ensure you strictly checkout the base ref and never
execute untrusted code.
| permissions: | ||
| contents: read | ||
| pull-requests: read | ||
| issues: read | ||
| id-token: write | ||
|
|
There was a problem hiding this comment.
🛠️ Refactor suggestion
Action cannot post PR reviews with read-only PR permissions. Elevate via additional_permissions (preferred) or job perms.
As written, pull-requests: read prevents the action from creating PR comments/reviews. If you intend Claude to leave review feedback, grant the minimal write it needs.
Apply one of the following:
Option A — keep job token minimal and let the action mint a short-lived App token with scoped writes (recommended):
id-token: write
steps:
@@
- name: Run Claude Code Review
id: claude-review
uses: anthropics/claude-code-action@beta
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+ additional_permissions: |
+ pull-requests: write
+ actions: readOption B — job-level permission (works but grants broader scope for the job):
permissions:
contents: read
- pull-requests: read
+ pull-requests: write
issues: read
id-token: write📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| permissions: | |
| contents: read | |
| pull-requests: read | |
| issues: read | |
| id-token: write | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| issues: read | |
| id-token: write |
🧰 Tools
🪛 YAMLlint (1.37.1)
[error] 27-27: trailing spaces
(trailing-spaces)
🤖 Prompt for AI Agents
In .github/workflows/claude-code-review.yml around lines 22 to 27, the workflow
currently sets pull-requests: read which prevents the action from posting PR
reviews; fix by granting the minimal write scope either by adding an
additional_permissions entry for the specific action (additional_permissions:
pull-requests: write) so the action can mint a short-lived token with scoped
write access, or by changing the job-level permissions to pull-requests: write
if you prefer broader job permission; apply one of these two options and keep
other permissions minimal.
| # Optional: Skip review for certain conditions | ||
| # if: | | ||
| # !contains(github.event.pull_request.title, '[skip-review]') && | ||
| # !contains(github.event.pull_request.title, '[WIP]') | ||
|
|
There was a problem hiding this comment.
The commented skip example shows if: inside with: (invalid). Move it to the step.
if: is a step/job key, not an input. Keeping an incorrect example can mislead future edits.
- - name: Run Claude Code Review
- id: claude-review
- uses: anthropics/claude-code-action@beta
- with:
- # ...
- # Optional: Skip review for certain conditions
- # if: |
- # !contains(github.event.pull_request.title, '[skip-review]') &&
- # !contains(github.event.pull_request.title, '[WIP]')
+ - name: Run Claude Code Review
+ if: |
+ !contains(github.event.pull_request.title, '[skip-review]') &&
+ !contains(github.event.pull_request.title, '[WIP]')
+ id: claude-review
+ uses: anthropics/claude-code-action@beta
+ with:
+ # ...📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # Optional: Skip review for certain conditions | |
| # if: | | |
| # !contains(github.event.pull_request.title, '[skip-review]') && | |
| # !contains(github.event.pull_request.title, '[WIP]') | |
| - name: Run Claude Code Review | |
| if: | | |
| !contains(github.event.pull_request.title, '[skip-review]') && | |
| !contains(github.event.pull_request.title, '[WIP]') | |
| id: claude-review | |
| uses: anthropics/claude-code-action@beta | |
| with: | |
| # ... |
🧰 Tools
🪛 YAMLlint (1.37.1)
[warning] 78-78: too many blank lines (1 > 0)
(empty-lines)
🤖 Prompt for AI Agents
In .github/workflows/claude-code-review.yml around lines 74–78, the commented
example places an `if:` conditional under `with:` (which is invalid because
`if:` is a step/job key, not an input); update the comment so it instructs
moving the `if:` out of `with:` to the step (or job) level and show the correct
usage in prose (e.g., describe adding `if:` on the step line before
`uses:`/`run:`), removing or replacing the misleading commented block.
There was a problem hiding this comment.
Pull Request Overview
This PR adds Claude Code integration to the repository by introducing an automated PR review workflow and updating the existing Claude workflow with OAuth authentication. The changes enable AI-powered code reviews and interactive assistance through @claude mentions.
- Add a new automated Claude Code Review workflow that runs on all pull requests
- Update existing Claude workflow to use OAuth token authentication instead of API key
- Remove repository-specific restrictions to allow broader access to the Claude functionality
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| .github/workflows/claude-code-review.yml | New automated PR review workflow with comprehensive configuration options |
| .github/workflows/claude.yml | Updated authentication method and removed access restrictions |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| pull-requests: write | ||
| issues: write | ||
| pull-requests: read | ||
| issues: read |
There was a problem hiding this comment.
The permissions have been changed from 'write' to 'read' for pull-requests and issues, but Claude Code typically needs write permissions to post comments and provide feedback. This may prevent Claude from functioning properly.
| issues: read | |
| pull-requests: write | |
| issues: write |
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| pull-requests: read |
There was a problem hiding this comment.
The Claude Code Review workflow only has 'read' permissions for pull-requests, but it likely needs 'write' permissions to post review comments and feedback on the PR.
| pull-requests: read | |
| pull-requests: write |
| # model: "claude-opus-4-1-20250805" | ||
|
|
||
| # Direct prompt for automated review (no @claude mention needed) | ||
| direct_prompt: | |
There was a problem hiding this comment.
The word 'direct_prompt' appears to be a parameter name, but based on typical GitHub Actions conventions and the anthropics/claude-code-action documentation, this should likely be 'prompt' instead of 'direct_prompt'.
| direct_prompt: | | |
| prompt: | |
User description
🤖 Installing Claude Code GitHub App
This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.
What is Claude Code?
Claude Code is an AI coding agent that can help with:
How it works
Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.
Important Notes
Security
There's more information in the Claude Code action repo.
After merging this PR, let's try mentioning @claude in a comment on any PR to get started!
PR Type
Enhancement
Description
Add automated Claude Code Review workflow for PRs
Update existing Claude workflow with OAuth token authentication
Remove repository-specific restrictions for broader access
Add comprehensive configuration options and documentation
Diagram Walkthrough
File Walkthrough
claude-code-review.yml
Add automated Claude PR review workflow.github/workflows/claude-code-review.yml
claude.yml
Update Claude workflow authentication and permissions.github/workflows/claude.yml