Conversation
There was a problem hiding this comment.
Pull request overview
Adds GitHub Actions workflows to integrate Anthropic’s Claude Code into the repo for on-demand assistance via @claude mentions and an automated PR code review workflow.
Changes:
- Updated Claude Code workflow token input to use
CLAUDE_CODE_OAUTH_TOKEN. - Reduced GitHub token permissions for Claude workflows from write to read.
- Switched the code review workflow trigger from
pull_request_targettopull_request.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
.github/workflows/claude.yml |
Adjusts permissions and updates authentication secret used by the Claude Code action. |
.github/workflows/claude-code-review.yml |
Changes event trigger, reduces permissions, and updates authentication secret used for automated code review. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| pull-requests: read | ||
| issues: read |
There was a problem hiding this comment.
pull-requests/issues permissions were reduced to read, but this workflow is triggered by @claude mentions and the Claude action typically needs to create PR/issue comments (and possibly PR reviews) to respond. With read-only permissions, the action will be unable to post results back to GitHub. Consider restoring the minimum required write permissions (e.g., issues: write for comments + pull-requests: write for PR review/comments) while keeping contents: read.
| pull-requests: read | |
| issues: read | |
| pull-requests: write | |
| issues: write |
| uses: anthropics/claude-code-action@v1 | ||
| with: | ||
| anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} | ||
| claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} |
There was a problem hiding this comment.
PR description says the Anthropic API key is stored as ANTHROPIC_API_KEY, but the workflow now uses CLAUDE_CODE_OAUTH_TOKEN via claude_code_oauth_token. Please align the PR description and repository secret setup with the authentication method expected by this workflow to avoid post-merge failures.
| contents: read | ||
| pull-requests: write | ||
| issues: write | ||
| pull-requests: read | ||
| issues: read |
There was a problem hiding this comment.
The PR description states "Only users with write access to the repository can trigger the workflow", but the workflow does not enforce this and will run for any @claude mention in issue/PR comments. This can allow untrusted users to trigger runs (token spend) and potentially prompt the agent to act on sensitive repo context. Add an explicit actor/author_association guard in the job if: (e.g., restrict to OWNER, MEMBER, COLLABORATOR) or otherwise validate the commenter before running.
| pull-requests: read | ||
| issues: read |
There was a problem hiding this comment.
pull-requests/issues permissions were reduced to read, but a "Code Review" workflow generally needs to write a PR review/comment back to the pull request. With read-only permissions, the action is likely unable to publish the review results. Consider restoring the minimum required write permissions (at least pull-requests: write and/or issues: write, depending on how the action posts feedback).
| pull-requests: read | |
| issues: read | |
| pull-requests: write | |
| issues: write |
| on: | ||
| pull_request_target: | ||
| pull_request: | ||
| types: [opened, synchronize, ready_for_review, reopened] |
There was a problem hiding this comment.
Switching this workflow from pull_request_target to pull_request improves safety, but note that pull_request workflows do not receive repository secrets for PRs from forks. As written, this can cause failing checks on forked PRs due to missing CLAUDE_CODE_OAUTH_TOKEN. Consider adding a guard to skip when github.event.pull_request.head.repo.fork == true (or otherwise handle missing secrets gracefully).
🤖 Installing Claude Code GitHub App
This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.
What is Claude Code?
Claude Code is an AI coding agent that can help with:
How it works
Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.
Important Notes
Security
There's more information in the Claude Code action repo.
After merging this PR, let's try mentioning @claude in a comment on any PR to get started!