Add Claude Code GitHub Workflow

[yevhen]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

[claude]

Claude finished @yevhen's task —— View job

---

PR Review: Claude Code GitHub Workflows

I've analyzed both workflow files that add Claude Code integration to the repository. Here's my comprehensive feedback:

Review Checklist:

• Read repository guidelines (CLAUDE.md)
• Analyze .github/workflows/claude-code-review.yml
• Analyze .github/workflows/claude.yml
• Check for security concerns
• Evaluate code quality and best practices
• Look for potential bugs or issues
• Assess performance considerations
• Provide comprehensive feedback

---

✅ Strengths

Security & Permissions:

• Proper use of GitHub secrets for the Anthropic API token
• Minimal required permissions (contents: read, pull-requests: read, issues: read, id-token: write)
• actions: read permission properly documented for CI result access

Workflow Design:

• Clean separation of concerns between automated review (claude-code-review.yml) and interactive usage (claude.yml)
• Well-structured trigger conditions using proper GitHub event filtering
• Good use of conditional execution with the if statement

Documentation:

• Excellent inline comments explaining optional configurations
• Clear examples for customization scenarios
• Helpful guidance for different use cases

⚠️ Areas for Improvement

1. .github/workflows/claude-code-review.yml Issues

Missing Project Context (.github/workflows/claude-code-review.yml:44-52)

direct_prompt: |
  Please review this pull request and provide feedback on:
  - Code quality and best practices
  - Potential bugs or issues
  - Performance considerations
  - Security concerns
  - Test coverage
  
  Be constructive and helpful in your feedback.

Issue: The review prompt is generic and doesn't leverage the extensive project guidelines in CLAUDE.md.

Recommendation: Enhance the prompt to reference project-specific standards:

direct_prompt: |
  Please review this pull request following the SharpAssert project guidelines in CLAUDE.md. Focus on:
  - Code quality and adherence to our C# naming conventions
  - Potential bugs or issues, especially around defensive programming (we avoid over-defensive code)
  - Performance considerations
  - Security concerns  
  - Test coverage using NUnit 3.14 and FluentAssertions
  - TDD principles and test quality
  
  Remember: We prefer simple, maintainable solutions and self-documenting code without comments.

Missing .NET-Specific Tools (.github/workflows/claude-code-review.yml:72)

# allowed_tools: "Bash(npm run test),Bash(npm run lint),Bash(npm run typecheck)"

Issue: The commented example shows Node.js commands but this is a .NET project.

Recommendation: Update to .NET-appropriate tools:

allowed_tools: "Bash(dotnet build),Bash(dotnet test),Bash(dotnet clean)"

2. .github/workflows/claude.yml Issues

Missing Project-Specific Instructions (.github/workflows/claude.yml:56-59)

# custom_instructions: |
#   Follow our coding standards
#   Ensure all new code has tests
#   Use TypeScript for new files

Issue: The example references TypeScript, but this is a C# project. More importantly, the extensive guidelines in CLAUDE.md aren't referenced.

Recommendation: Add meaningful custom instructions:

custom_instructions: |
  This is a .NET assertion library project. Please:
  - Follow all guidelines in CLAUDE.md including TDD practices
  - Use C# naming conventions (PascalCase for public members, camelCase for parameters)
  - Write self-documenting code without comments
  - Ensure all code is testable via public API (avoid defensive programming)
  - Use NUnit 3.14 with FluentAssertions for tests
  - Build and test before reporting success: dotnet build && dotnet test

Shallow Checkout Limitation (Both files: line 32)

fetch-depth: 1

Issue: Shallow checkout might limit Claude's ability to understand git history and make informed decisions about changes.

Recommendation: Consider using fetch-depth: 0 or at least fetch-depth: 10 for better context, especially for the interactive workflow.

3. Performance & Resource Considerations

Potential Over-Triggering (.github/workflows/claude-code-review.yml:3-5)

on:
  pull_request:
    types: [opened, synchronize]

Issue: This will trigger on every push to a PR, which could be expensive with frequent commits.

Recommendation: Consider adding path filters or using the commented use_sticky_comment: true option to reduce redundant reviews.

🔒 Security Assessment

✅ Security is well-handled:

• API token properly stored in GitHub secrets
• Permissions follow principle of least privilege
• No hardcoded sensitive values
• Proper use of GitHub's security model

📊 Test Coverage

❌ Missing: There are no tests for these workflow files themselves. While GitHub Actions workflows typically don't have unit tests, consider:

• Adding a basic workflow validation job
• Testing the integration in a development branch first

🚀 Performance

Considerations:

• Workflows will consume GitHub Actions minutes on every trigger
• The claude-code-review.yml could be expensive with frequent PR updates
• Consider rate limiting or batching mechanisms for high-traffic repositories

---

📝 Summary & Recommendation

Overall Assessment: ✅ Approve with Suggestions

The workflows are well-structured and secure, but they need customization for this specific .NET project. The main improvements needed are:

1. Tailor prompts and instructions to the C#/.NET context
2. Reference the comprehensive CLAUDE.md guidelines
3. Update tool examples from Node.js to .NET commands
4. Consider performance implications with frequent triggering

The security implementation is solid, and the separation of automated vs. interactive workflows shows good architectural thinking. After addressing the project-specific customizations, this will be a valuable addition to the development workflow.

---

[yevhen]

@claude apply recommendations 1, 2 and 3 (with use_sticky_comment: true recommendation)