Skip to content

Add Claude Code GitHub Workflow #650

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rosinghal wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add Claude Code GitHub Workflow #650

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2e79354
"Claude PR Assistant workflow"
rosinghal Mar 23, 2026
58836d4
"Claude Code Review workflow"
rosinghal Mar 23, 2026
23d768a
format
rosinghal Mar 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 43 additions & 0 deletions .github/workflows/claude-code-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
name: Claude Code Review

on:
pull_request:
types: [opened, synchronize, ready_for_review, reopened]
# Optional: Only run on specific file changes
# paths:
# - "src/**/*.ts"
# - "src/**/*.tsx"
# - "src/**/*.js"
# - "src/**/*.jsx"

jobs:
claude-review:
# Optional: Filter by PR author
# if: |
# github.event.pull_request.user.login == 'external-contributor' ||
# github.event.pull_request.user.login == 'new-developer' ||
# github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'

runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
issues: read
id-token: write
Comment on lines +22 to +26
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Add missing actions: read permission for CI result access.

The claude.yml workflow grants actions: read permission to allow Claude to access CI results on PRs (line 26 in that file). This workflow should include the same permission since it also performs PR analysis and would benefit from CI context.

📝 Proposed fix 
     permissions:
       contents: read
       pull-requests: read
       issues: read
       id-token: write
+      actions: read
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
contents: read
pull-requests: read
issues: read
id-token: write
permissions:
contents: read
pull-requests: read
issues: read
id-token: write
actions: read
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude-code-review.yml around lines 22 - 26, The
workflow's permissions block is missing the actions: read permission needed for
CI result access; update the permissions map (the permissions: block containing
contents, pull-requests, issues, id-token) to include actions: read alongside
the existing keys so the workflow can read PR CI results.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check if the claude-code-action code-review plugin requires write permissions

# Check the action's documentation for permission requirements
gh api repos/anthropics/claude-code-action/readme --jq '.content' | base64 -d | rg -i -C5 'code-review.*permission'

# Also check the plugin repository for permission requirements
gh api repos/anthropics/claude-code/readme --jq '.content' | base64 -d | rg -i -C5 'permission'

Repository: Xtendify/Simple-Calendar

Length of output: 173

🏁 Script executed:

cat -n .github/workflows/claude-code-review.yml

Repository: Xtendify/Simple-Calendar

Length of output: 1800

🌐 Web query:

anthropics claude-code-action permissions requirements pull-requests write

💡 Result:

Anthropic's claude-code-action is a GitHub Action that integrates Claude Code into GitHub workflows for PRs and issues, enabling code analysis, changes, and PR creation via @claude mentions or prompts. Permissions requirements: - GitHub App (official Claude app at https://github.com/apps/claude): Requests read & write access to Contents (modify files), Issues (respond), Pull Requests (create/update PRs). [3,6,11,12,15,16] - Workflow YAML permissions: Minimum contents: read/write (for read-only reviews, contents: read and pull-requests: write suffice), pull-requests: write, issues: write. Explicitly set to prevent privilege escalation. [6,8,9,12] - Secrets: ANTHROPIC_API_KEY (or CLAUDE_CODE_OAUTH_TOKEN) stored in repo secrets. Never hardcode. [2,3,6] - Claude Code tool permissions: Configurable via claude_args like --allowedTools for Read/Edit/Bash in headless mode; uses bypassPermissions or similar for automation. Review outputs for security. [1,2,4,55,56] For write operations like creating PRs/commits: Requires contents: write in workflow and GitHub App. Use branch protection requiring human approval. allowed_non_write_users is risky for non-write users. [2,12,56] Security: Workflow permissions lock GITHUB_TOKEN scope; fork PRs get read-only/no secrets. Prompt injection risks from untrusted comments sanitized but review raw input. [12,56]

Citations:

Change pull-requests permission from read to write.

The code review action requires write permissions to post review comments and annotations on pull requests. The current pull-requests: read permission is insufficient; it must be changed to pull-requests: write.

Corrected permissions block 
    permissions:
      contents: read
      pull-requests: write
      issues: read
      id-token: write
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude-code-review.yml around lines 22 - 26, Update the
GitHub Actions permissions block to grant write access for pull request
operations by changing the "pull-requests" entry from "read" to "write" (i.e.,
replace pull-requests: read with pull-requests: write) so the action can post
review comments and annotations; ensure the permissions block still includes
contents: read, issues: read, and id-token: write.


steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1

- name: Run Claude Code Review
id: claude-review
uses: anthropics/claude-code-action@v1
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
plugins: 'code-review@claude-code-plugins'
prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

What is the correct prompt syntax for the code-review plugin in anthropics/claude-code-action?

💡 Result:

The code-review plugin for anthropics/claude-code-action is a Claude Code slash command plugin that provides automated PR code review using multiple specialized agents. To use it in claude-code-action GitHub workflows, specify the plugin via the plugins input or invoke it directly in the prompt: - uses: anthropics/claude-code-action@v1 with: plugins: "code-review@claude-code-plugins" prompt: "/code-review --comment" Alternatively, use a custom prompt that calls the command: prompt: | REPO: ${{ github.repository }} PR NUMBER: ${{ github.event.pull_request.number }} /code-review --comment The core prompt syntax is defined in the plugin's command file at https://github.com/anthropics/claude-code/blob/main/plugins/code-review/commands/code-review.md. It starts with a YAML frontmatter block: --- allowed-tools: Bash(gh pr view:), Bash(gh pr diff:), mcpgithub_inline_commentcreate_inline_comment description: Code review a pull request --- Followed by detailed Markdown instructions for multi-agent review workflow (check PR status, gather CLAUDE.md files, summarize changes, parallel audits for compliance/bugs/history, confidence scoring >=80, output summary or post comments with precise GitHub links using full SHA). For GitHub Actions integration, the PR #14130 updates this prompt specifically for better performance in claude-code-action (reduced agents, inline comments via MCP, duplicate prevention). Installation in Claude Code: npx claude-plugins install @anthropics/claude-code-plugins/code-review or claude plugins add code-review@claude-plugins-official. Usage: /code-review [--comment] on a PR branch.

Citations:

Update prompt syntax to use the correct code-review command format.

The prompt uses /code-review:code-review syntax, which is incorrect. According to the official code-review plugin documentation, the correct syntax is /code-review with an optional --comment flag. Update to:

prompt: '/code-review --comment ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'

or simplify to:

prompt: '/code-review --comment'
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude-code-review.yml at line 41, Update the workflow
prompt string to use the correct code-review command `/code-review` with the
`--comment` flag instead of the invalid `/code-review:code-review`; locate the
prompt key in the workflow (the line currently containing prompt:
'/code-review:code-review ${{ github.repository }}/pull/${{
github.event.pull_request.number }}') and replace it with a proper form such as
`'/code-review --comment ${{ github.repository }}/pull/${{
github.event.pull_request.number }}'` or the simplified `'/code-review
--comment'` so the action invokes the code-review plugin correctly.

# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
# or https://code.claude.com/docs/en/cli-reference for available options
49 changes: 49 additions & 0 deletions .github/workflows/claude.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
name: Claude Code

on:
issue_comment:
types: [created]
pull_request_review_comment:
types: [created]
issues:
types: [opened, assigned]
pull_request_review:
types: [submitted]

jobs:
claude:
if: |
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
issues: read
id-token: write
actions: read # Required for Claude to read CI results on PRs
Comment on lines +21 to +26
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check the claude-code-action documentation for required permissions

# Search for permission requirements in the action's README
gh api repos/anthropics/claude-code-action/readme --jq '.content' | base64 -d | rg -i -C5 'permission'

Repository: Xtendify/Simple-Calendar

Length of output: 120

🏁 Script executed:

cat -n .github/workflows/claude.yml

Repository: Xtendify/Simple-Calendar

Length of output: 2295

🏁 Script executed:

# Search for any local documentation about claude permissions
fd -type f -name "*.md" | xargs rg -i "claude.*permission|permission.*claude" -B2 -A2

# Also check for any comments or documentation about the action
rg "claude-code-action" --type md

Repository: Xtendify/Simple-Calendar

Length of output: 238

🏁 Script executed:

# Search for any local documentation about claude permissions
fd . -type f -name "*.md" | xargs rg -i "claude.*permission|permission.*claude" -B2 -A2

# Also search for any README or docs mentioning claude-code-action
rg "claude-code-action" -t md

Repository: Xtendify/Simple-Calendar

Length of output: 238

🏁 Script executed:

# Search for README or docs files that mention claude
find . -name "*.md" -type f | head -20

# Search for claude in documentation
rg "claude" --glob="*.md" -B2 -A2

Repository: Xtendify/Simple-Calendar

Length of output: 109

🏁 Script executed:

cat -n ./CLAUDE.md

Repository: Xtendify/Simple-Calendar

Length of output: 2875

🌐 Web query:

anthropics claude-code-action permissions required github actions

💡 Result:

The Anthropic Claude Code Action (anthropics/claude-code-action) requires specific permissions in GitHub workflows and optionally a GitHub App installation to enable Claude to interact with repositories (e.g., reading/writing files, issues, PRs). Workflow Permissions (in .github/workflows YAML): - contents: write (to read/modify repository files) - pull-requests: write (to create/update PRs) - issues: write (to respond to issues) - Optionally: id-token: write (for OIDC with cloud providers like Bedrock/Vertex), actions: read (for viewing workflow results) Example from official docs: permissions: contents: write pull-requests: write issues: write id-token: write GitHub App Permissions (https://github.com/apps/claude): - Contents: Read & write - Issues: Read & write - Pull requests: Read & write Additional action inputs: - additional_permissions: e.g., "actions: read" - allowed_bots: restrict bot triggers (default: none) - allowed_non_write_users: risky, allows non-write users (use cautiously) Security best practices: - Use least-privilege permissions in workflows. - Store ANTHROPIC_API_KEY as repo secret. - Review Claude's changes before merging. - For public repos, restrict to trusted triggers. These enable Claude to respond to @claude mentions, implement fixes, create PRs, etc.

Citations:

Missing write permissions — Claude cannot respond to @claude mentions.

The action requires write permissions to respond to comments and create/update files. Update to:

    permissions:
      contents: write
      pull-requests: write
      issues: write
      id-token: write
      actions: read

Per official Anthropic documentation, contents: write, pull-requests: write, and issues: write are mandatory for the action to function.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude.yml around lines 21 - 26, The workflow's
permissions block currently sets contents, pull-requests, and issues to read
which prevents the Claude action from responding to `@claude` mentions; update the
permissions map in the permissions section by changing contents, pull-requests,
and issues from read to write (keep id-token: write and actions: read) so the
action can create/update comments and files — i.e., modify the permissions
entries named contents, pull-requests, and issues accordingly.

steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1

- name: Run Claude Code
id: claude
uses: anthropics/claude-code-action@v1
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

# This is an optional setting that allows Claude to read CI results on PRs
additional_permissions: |
actions: read

# Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.
# prompt: 'Update the pull request description to include a summary of changes.'

# Optional: Add claude_args to customize behavior and configuration
# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
# or https://code.claude.com/docs/en/cli-reference for available options
# claude_args: '--allowed-tools Bash(gh pr:*)'
Loading