Add Claude Code GitHub Workflow

[MarjovanLier]

User description

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

---

PR Type

Enhancement

---

Description

• Updated Claude Code action from beta to v1 stable release

• Simplified workflow configuration by removing commented examples

• Changed code review workflow to use direct prompt with gh CLI tools

• Cleaned up whitespace and improved documentation references

---

Diagram Walkthrough

flowchart LR
  A["claude-code-action@beta"] -- "upgrade to stable" --> B["claude-code-action@v1"]
  C["direct_prompt parameter"] -- "refactored to" --> D["prompt parameter"]
  E["Removed commented examples"] -- "simplified config" --> F["Cleaner workflow files"]
  D -- "added gh CLI tools" --> G["claude_args with gh commands"]

Loading

File Walkthrough

Relevant files

Configuration changes

claude-code-review.yml Update code review workflow to v1 with gh CLI tools            .github/workflows/claude-code-review.yml Updated action version from @beta to @v1 Renamed direct_prompt parameter to prompt with added repository context Added claude_args with GitHub CLI tools for gh pr comment, gh pr diff, gh pr view, etc. Removed extensive commented-out configuration examples and optional settings Cleaned up trailing whitespace +13/-34  claude.yml Update main workflow to v1 with simplified config                .github/workflows/claude.yml Updated action version from @beta to @v1 Removed all commented-out optional configuration examples Simplified documentation with references to official docs Cleaned up trailing whitespace Kept core functionality with additional_permissions for CI access +9/-23

---

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (2)

• .github/workflows/claude-code-review.yml is excluded by none and included by none
• .github/workflows/claude.yml is excluded by none and included by none

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch add-claude-github-actions-1762080823376

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

Changelog updates: 🔄

2025-11-02 *

Added

• GitHub Actions workflow integrating Claude Code for PR and issue interactions

Changed

• Upgraded Claude Code action to v1 and simplified workflow configuration

to commit the new content to the CHANGELOG.md file, please type:
'/update_changelog --pr_update_changelog.push_changelog_changes=true'

[Copilot]

Pull Request Overview

This PR updates the Claude Code GitHub Action workflows from beta to v1 release. The changes simplify configuration by replacing the old parameter structure with a streamlined approach using prompt and claude_args.

• Updated action version from @beta to @v1 in both workflow files
• Replaced multiple deprecated configuration parameters (direct_prompt, model, allowed_tools, etc.) with simplified prompt and claude_args parameters
• Removed trailing whitespace and cleaned up comment formatting

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
.github/workflows/claude.yml	Updated action version to v1 and simplified configuration comments to reflect new parameter structure
.github/workflows/claude-code-review.yml	Updated action version to v1, converted direct_prompt to prompt, and configured allowed tools using claude_args with specific GitHub CLI commands

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.62%. Comparing base (989effd) to head (30483b1).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##               main      #56   +/-   ##
=========================================
  Coverage     94.62%   94.62%           
  Complexity       40       40           
=========================================
  Files             1        1           
  Lines            93       93           
=========================================
  Hits             88       88           
  Misses            5        5           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Grant write permission for pull-requests Update the pull-requests permission from read to write. This change is necessary to allow the gh pr comment tool to post comments on the pull request, preventing a workflow failure. .github/workflows/claude-code-review.yml [22-26] permissions: contents: read - pull-requests: read + pull-requests: write issues: read id-token: write Apply / Chat Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies a critical misconfiguration that would cause the workflow to fail, as the gh pr comment tool requires pull-requests: write permission which is currently set to read.	High
More

• Author self-review: I have reviewed the PR code suggestions, and addressed the relevant ones.

[qodo-code-review]

Auto-approved PR

[qodo-code-review]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 No relevant tests

🔒 Security concerns Least privilege: The claude_args allow multiple GitHub CLI operations including gh search:*, gh issue view:*, and listing across the repo. While these are read-only, expanding the surface area can increase risk if future tools or scopes change. Restrict to the minimal set needed for posting a PR comment (e.g., Bash(gh pr comment:*) and optionally Bash(gh pr view:*)).

⚡ Recommended focus areas for review Scope Creep The allowed tools in claude_args permit broad gh commands (e.g., gh search:*, gh issue list:*) which may be more permissive than needed for code review; consider narrowing to just what the review requires to minimize blast radius. claude_args: '--allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"' Prompt Context The prompt adds repo and PR number but relies on CLAUDE.md presence; ensure the file exists and consider explicitly instructing the action to post a single consolidated comment to avoid spam. prompt: | REPO: ${{ github.repository }} PR NUMBER: ${{ github.event.pull_request.number }} Please review this pull request and provide feedback on: - Code quality and best practices - Potential bugs or issues - Performance considerations - Security concerns - Test coverage Use the repository's CLAUDE.md for guidance on style and conventions. Be constructive and helpful in your feedback. Use `gh pr comment` with your Bash tool to leave your review as a comment on the PR.

[qodo-code-review]

Auto-approved PR

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Overbroad CLI permissions Description: The workflow allows Bash access to multiple gh CLI commands via claude_args which, if the action were compromised, could be abused to exfiltrate PR metadata or spam comments; verify scope is limited and that no secrets are exposed to these commands. claude-code-review.yml [56-56] Referred Code claude_args: '--allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"'
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Lacks audit logs: The workflow adds steps invoking external actions without explicit audit logging of critical actions (who triggered, what was done, outcomes) beyond default GitHub Actions logs. Referred Code - name: Run Claude Code Review id: claude-review uses: anthropics/claude-code-action@v1 with: claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} prompt: | REPO: ${{ github.repository }} PR NUMBER: ${{ github.event.pull_request.number }} Please review this pull request and provide feedback on: - Code quality and best practices - Potential bugs or issues - Performance considerations - Security concerns - Test coverage Use the repository's CLAUDE.md for guidance on style and conventions. Be constructive and helpful in your feedback. Use `gh pr comment` with your Bash tool to leave your review as a comment on the PR. # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md ... (clipped 2 lines)
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Missing failure handling: The workflow calls anthropics/claude-code-action@v1 without explicit continue-on-error, conditional retries, or fallback handling for API or CLI errors. Referred Code - name: Run Claude Code Review id: claude-review uses: anthropics/claude-code-action@v1 with: claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} prompt: | REPO: ${{ github.repository }} PR NUMBER: ${{ github.event.pull_request.number }} Please review this pull request and provide feedback on: - Code quality and best practices - Potential bugs or issues - Performance considerations - Security concerns - Test coverage Use the repository's CLAUDE.md for guidance on style and conventions. Be constructive and helpful in your feedback. Use `gh pr comment` with your Bash tool to leave your review as a comment on the PR. # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md ... (clipped 2 lines)
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Error exposure risk: Allowing Bash gh commands to comment on PRs may surface raw error outputs to users if not sanitized by the action or step configuration. Referred Code Use `gh pr comment` with your Bash tool to leave your review as a comment on the PR. # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md # or https://docs.claude.com/en/docs/claude-code/cli-reference for available options claude_args: '--allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"'
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Tooling scope risks: The allowed tools permit broad gh commands, which could act on issues/PRs without validation safeguards evident in the workflow configuration. Referred Code # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md # or https://docs.claude.com/en/docs/claude-code/cli-reference for available options claude_args: '--allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"'

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label