Add Claude Code GitHub Workflow#82
Conversation
📝 WalkthroughWalkthroughTwo new GitHub Actions workflows are added: one automatically triggers Claude code review on pull request lifecycle events, and another enables on-demand Claude invocation via ChangesAutomated Code Review on Pull Requests
On-Demand Claude via Mentions
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/claude-code-review.yml:
- Around line 30-36: The workflow uses tag refs for actions (actions/checkout@v4
and anthropics/claude-code-action@v1); replace each `uses:` entry with the
corresponding immutable 40-hex commit SHA for that repo (e.g.,
actions/checkout@<40-hex-sha> and anthropics/claude-code-action@<40-hex-sha>),
optionally appending a trailing comment with the human-readable tag (e.g., "#
v4" or "# v1") to satisfy the SHA-pin policy and unblock the dependabot-selftest
check.
In @.github/workflows/claude.yml:
- Around line 15-20: The trigger condition must be gated by a trusted-actor
check so only users with write access can invoke `@claude`; update the existing if
expression to require both the `@claude` mention and that the event actor’s
author_association is one of OWNER, MEMBER or COLLABORATOR. Concretely, for
comment/review/review_comment/issue branches add an extra clause using the
appropriate payload field (github.event.comment.author_association,
github.event.review.author_association, github.event.issue.author_association)
and require it equals 'OWNER' or 'MEMBER' or 'COLLABORATOR' (combine with ||),
so the final if only passes when a mention exists AND the actor has write-level
association.
- Around line 29-35: Replace the tag refs with pinned commit SHAs for the GitHub
Actions usages: change actions/checkout@v4 to the full 40-character commit SHA
for the actions/checkout repo and change anthropics/claude-code-action@v1 to the
full 40-character commit SHA for anthropics/claude-code-action; apply the same
replacements in both `.github/workflows/claude.yml` (the lines that reference
actions/checkout@v4 and anthropics/claude-code-action@v1) and
`.github/workflows/claude-code-review.yml` so both workflows use exact commit
SHAs instead of tag refs.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: dbea0861-73e5-4d57-8615-06bd47a3a5a6
📒 Files selected for processing (2)
.github/workflows/claude-code-review.yml.github/workflows/claude.yml
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 1 | ||
|
|
||
| - name: Run Claude Code Review | ||
| id: claude-review | ||
| uses: anthropics/claude-code-action@v1 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify all workflow `uses:` entries are SHA-pinned
rg -nP '^\s*uses:\s*[^@\s]+@(?!(?:[0-9a-f]{40})\b).+' .github/workflows/*.yml
# Expected: no outputRepository: humancto/mango
Length of output: 372
🏁 Script executed:
# Check for dependabot or policy configuration files
find .github -type f -name "*.yml" -o -name "*.yaml" -o -name "*.json" | head -20Repository: humancto/mango
Length of output: 677
🏁 Script executed:
# Search for any references to "dependabot-selftest" or SHA pinning policies
rg -i "dependabot-selftest|sha.?pin|immutable" .github/ || echo "No references found"Repository: humancto/mango
Length of output: 1135
🏁 Script executed:
# Check all other workflows to see if SHA pinning is consistently applied
cat .github/workflows/claude.yml | head -40Repository: humancto/mango
Length of output: 1359
🏁 Script executed:
# Read the dependabot-selftest.yml to understand the enforcement
cat .github/workflows/dependabot-selftest.ymlRepository: humancto/mango
Length of output: 2585
🏁 Script executed:
# Also check the dependabot.yml configuration
cat .github/dependabot.ymlRepository: humancto/mango
Length of output: 3808
🏁 Script executed:
# Verify the test script existence and understand assertion `#15`
head -60 scripts/dependabot-scripts-test.sh | grep -A 5 -B 5 "assertion"Repository: humancto/mango
Length of output: 532
🏁 Script executed:
# Find assertion `#15` in the test script
rg -n "assertion.?15|uses:" scripts/dependabot-scripts-test.sh | head -30Repository: humancto/mango
Length of output: 775
Pin action refs to immutable SHAs to unblock CI and harden supply chain.
Lines 30 and 36 use tag-pinned refs (@v4, @v1) and violate the enforced SHA-pin policy. This directly triggers the dependabot-selftest workflow failure (assertion #15 validates all uses: lines must be 40-hex SHAs with optional trailing # <ref> comments).
Suggested fix pattern
- uses: actions/checkout@v4
+ uses: actions/checkout@<40-hex-commit-sha> # v4
- uses: anthropics/claude-code-action@v1
+ uses: anthropics/claude-code-action@<40-hex-commit-sha> # v1🧰 Tools
🪛 GitHub Actions: dependabot-selftest
[error] 30-30: Dependabot scripts check failed: workflow uses are not SHA-pinned with 40-hex. Found 'uses: actions/checkout@v4'.
[error] 36-36: Dependabot scripts check failed: workflow uses are not SHA-pinned with 40-hex. Found 'uses: anthropics/claude-code-action@v1'.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/claude-code-review.yml around lines 30 - 36, The workflow
uses tag refs for actions (actions/checkout@v4 and
anthropics/claude-code-action@v1); replace each `uses:` entry with the
corresponding immutable 40-hex commit SHA for that repo (e.g.,
actions/checkout@<40-hex-sha> and anthropics/claude-code-action@<40-hex-sha>),
optionally appending a trailing comment with the human-readable tag (e.g., "#
v4" or "# v1") to satisfy the SHA-pin policy and unblock the dependabot-selftest
check.
| if: | | ||
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | ||
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) | ||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
Add a trusted-actor gate to the @claude trigger condition.
Line 15–20 currently allows any user who can comment to invoke the workflow if they mention @claude. That does not enforce the stated “write-access only” behavior and can be abused for cost/noise.
Suggested fix
claude:
if: |
- (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
- (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
- (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
- (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+ (github.event_name == 'issue_comment' &&
+ contains(github.event.comment.body, '@claude') &&
+ contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
+ (github.event_name == 'pull_request_review_comment' &&
+ contains(github.event.comment.body, '@claude') &&
+ contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
+ (github.event_name == 'pull_request_review' &&
+ contains(github.event.review.body, '@claude') &&
+ contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association)) ||
+ (github.event_name == 'issues' &&
+ (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) &&
+ contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association))📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| if: | | |
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | |
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) | |
| runs-on: ubuntu-latest | |
| if: | | |
| (github.event_name == 'issue_comment' && | |
| contains(github.event.comment.body, '@claude') && | |
| contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) || | |
| (github.event_name == 'pull_request_review_comment' && | |
| contains(github.event.comment.body, '@claude') && | |
| contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) || | |
| (github.event_name == 'pull_request_review' && | |
| contains(github.event.review.body, '@claude') && | |
| contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association)) || | |
| (github.event_name == 'issues' && | |
| (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) && | |
| contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association)) | |
| runs-on: ubuntu-latest |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/claude.yml around lines 15 - 20, The trigger condition
must be gated by a trusted-actor check so only users with write access can
invoke `@claude`; update the existing if expression to require both the `@claude`
mention and that the event actor’s author_association is one of OWNER, MEMBER or
COLLABORATOR. Concretely, for comment/review/review_comment/issue branches add
an extra clause using the appropriate payload field
(github.event.comment.author_association,
github.event.review.author_association, github.event.issue.author_association)
and require it equals 'OWNER' or 'MEMBER' or 'COLLABORATOR' (combine with ||),
so the final if only passes when a mention exists AND the actor has write-level
association.
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 1 | ||
|
|
||
| - name: Run Claude Code | ||
| id: claude | ||
| uses: anthropics/claude-code-action@v1 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify all workflow `uses:` entries are SHA-pinned
rg -nP '^\s*uses:\s*[^@\s]+@(?!(?:[0-9a-f]{40})\b).+' .github/workflows/*.yml
# Expected: no outputRepository: humancto/mango
Length of output: 372
Pin GitHub Actions by full commit SHA (required by current CI policy).
Lines 29 and 35 in .github/workflows/claude.yml use tag refs (@v4, @v1) instead of 40-hex SHAs. The same issue exists in .github/workflows/claude-code-review.yml at lines 30 and 36. This is failing dependabot-selftest and should be treated as a merge blocker.
Suggested fix pattern
- - name: Checkout repository
- uses: actions/checkout@v4
+ - name: Checkout repository
+ uses: actions/checkout@<40-hex-commit-sha> # v4
...
- - name: Run Claude Code
- id: claude
- uses: anthropics/claude-code-action@v1
+ - name: Run Claude Code
+ id: claude
+ uses: anthropics/claude-code-action@<40-hex-commit-sha> # v1🧰 Tools
🪛 GitHub Actions: dependabot-selftest
[error] 29-29: Dependabot scripts check failed: workflow uses are not SHA-pinned with 40-hex. Found 'uses: actions/checkout@v4'.
[error] 35-35: Dependabot scripts check failed: workflow uses are not SHA-pinned with 40-hex. Found 'uses: anthropics/claude-code-action@v1'.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/claude.yml around lines 29 - 35, Replace the tag refs with
pinned commit SHAs for the GitHub Actions usages: change actions/checkout@v4 to
the full 40-character commit SHA for the actions/checkout repo and change
anthropics/claude-code-action@v1 to the full 40-character commit SHA for
anthropics/claude-code-action; apply the same replacements in both
`.github/workflows/claude.yml` (the lines that reference actions/checkout@v4 and
anthropics/claude-code-action@v1) and `.github/workflows/claude-code-review.yml`
so both workflows use exact commit SHAs instead of tag refs.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1a0443e2cf
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| pull-requests: read |
There was a problem hiding this comment.
This workflow configures pull-requests: read, but the Claude Code review flow is expected to publish PR feedback; with a read-only token, review comments cannot be created, so the automated review run can complete without delivering actionable output. Anthropic’s own automated review examples for anthropics/claude-code-action use pull-requests: write for this reason, so this permission setting makes the new review workflow effectively non-functional on real PRs.
Useful? React with 👍 / 👎.
| contents: read | ||
| pull-requests: read | ||
| issues: read |
There was a problem hiding this comment.
The @claude workflow is wired to respond to issue/PR mentions, but contents, pull-requests, and issues are all set to read-only, which prevents Claude from posting responses/comments or making repo updates requested via mentions. In practice this causes triggered runs to be unable to perform the core actions users expect from this workflow; the action’s documented baseline permissions are write-level for these scopes.
Useful? React with 👍 / 👎.
1 participant
🤖 Installing Claude Code GitHub App
This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.
What is Claude Code?
Claude Code is an AI coding agent that can help with:
How it works
Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.
Important Notes
Security
There's more information in the Claude Code action repo.
After merging this PR, let's try mentioning @claude in a comment on any PR to get started!
Summary by CodeRabbit