techviewleo-dot\/infra-demo<\/code>) with real Action runs. The workflow YAML, the action logs, the screenshots are all from actual execution.<\/p>\n\n\n\nTested March 2026<\/strong> | anthropics\/claude-code-action@v1, GitHub Actions, Sonnet 4.6, Terraform files<\/em><\/p>\n\n\n\nWhat You Need<\/h2>\n\n\n\n\n- A GitHub repository with infrastructure code (Terraform, Ansible, Kubernetes manifests)<\/li>\n\n
- An Anthropic API key<\/a> (stored as a GitHub Actions secret)<\/li>\n\n
- The Claude GitHub App installed on your repository<\/li>\n<\/ul>\n\n\n\n
Install the Claude GitHub App<\/h2>\n\n\n\n
The anthropics\/claude-code-action<\/code> requires the Claude GitHub App for authentication. Go to github.com\/apps\/claude<\/a> and click Install<\/strong>:<\/p>\n\n\n\n![\"Claude](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/03\/02-claude-app-install.png\" "\\"\\"")
<\/figure>\n\n\n\nSelect Only select repositories<\/strong> and pick the repo you want Claude to review. This limits Claude’s access to just the repositories you choose, not your entire account:<\/p>\n\n\n\n![\"Claude](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/03\/03-claude-app-repo-select.png\" "\\"\\"")
<\/figure>\n\n\n\nThe app requests read access to actions and metadata, plus read\/write access to code, discussions, issues, PRs, and workflows. Click Install & Authorize<\/strong> to complete the setup.<\/p>\n\n\n\nSet Up the Workflow<\/h2>\n\n\n\n
Create .github\/workflows\/claude-review.yml<\/code> in your infrastructure repository. This workflow triggers on two events: pull requests that change Terraform files, and PR comments containing @claude<\/code> for on-demand reviews.<\/p>\n\n\n\nname: Claude Code Review\non:\n pull_request:\n paths:\n - 'terraform\/**'\n - '*.tf'\n issue_comment:\n types: [created]\n\njobs:\n review:\n runs-on: ubuntu-latest\n if: >\n github.event_name == 'pull_request' ||\n (github.event_name == 'issue_comment' &&\n github.event.issue.pull_request &&\n contains(github.event.comment.body, '@claude'))\n permissions:\n contents: read\n pull-requests: write\n issues: write\n id-token: write\n steps:\n - uses: actions\/checkout@v4\n with:\n fetch-depth: 0\n\n - name: Claude Code Review\n uses: anthropics\/claude-code-action@v1\n with:\n anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}\n prompt: |\n Review the Terraform changes in this PR for:\n 1. Security issues (open ports, missing encryption)\n 2. Missing tags (every resource needs Environment and ManagedBy)\n 3. Best practices and naming conventions\n 4. Cost implications<\/code><\/pre>\n\n\n\nThree things to note about this configuration:<\/p>\n\n\n\n
\nid-token: write<\/code> is required.<\/strong> The action uses OIDC token exchange for authentication with the Claude GitHub App. Without it, you get Unable to get ACTIONS_ID_TOKEN_REQUEST_URL<\/code><\/li>\n\n- The
if<\/code> condition on issue_comment<\/code><\/strong> ensures the action only triggers on PR comments (not issue comments) that contain @claude<\/code><\/li>\n\nfetch-depth: 0<\/code><\/strong> gives Claude Code access to the full git history, so it can see what changed between the PR branch and main<\/li>\n<\/ul>\n\n\n\nStore the API key as a secret<\/h3>\n\n\n\n
Add your Anthropic API key as a repository secret. Using the gh CLI:<\/p>\n\n\n\n
gh secret set ANTHROPIC_API_KEY --repo your-org\/your-repo<\/code><\/pre>\n\n\n\nPaste the key when prompted. The secret is encrypted and only available to workflow runs.<\/p>\n\n\n\n
Trigger a Review on a Real PR<\/h2>\n\n\n\n
We tested this by creating a PR that adds a database server to a staging VPC. The Terraform file has deliberate security issues: PostgreSQL port 5432 open to 0.0.0.0\/0<\/code>, SSH open to the internet, missing Environment<\/code> and ManagedBy<\/code> tags, and an unencrypted root volume.<\/p>\n\n\n\nresource \"aws_instance\" \"database\" {\n ami = \"ami-0c55b159cbfafe1f0\"\n instance_type = \"t3.large\"\n subnet_id = aws_subnet.public.id\n\n vpc_security_group_ids = [aws_security_group.database.id]\n\n root_block_device {\n volume_size = 100\n volume_type = \"gp3\"\n }\n\n tags = {\n Name = \"demo-database\"\n }\n}\n\nresource \"aws_security_group\" \"database\" {\n name = \"demo-database-sg\"\n vpc_id = aws_vpc.main.id\n\n ingress {\n from_port = 5432\n to_port = 5432\n protocol = \"tcp\"\n cidr_blocks = [\"0.0.0.0\/0\"]\n }\n\n ingress {\n from_port = 22\n to_port = 22\n protocol = \"tcp\"\n cidr_blocks = [\"0.0.0.0\/0\"]\n }\n}<\/code><\/pre>\n\n\n\nWhen the PR is opened, the Claude Code Review workflow triggers automatically:<\/p>\n\n\n\n![\"GitHub](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/03\/pr-overview.png\" "\\"\\"")
<\/figure>\n\n\n\nThe action runs Claude Code with Sonnet 4.6, which reads the PR diff, analyzes the Terraform changes, and reviews against the prompt criteria. In our test, the review completed in 29 seconds at a cost of $0.13.<\/p>\n\n\n\n
On-Demand Reviews with @claude<\/h2>\n\n\n\n
The issue_comment<\/code> trigger lets any team member request a review by commenting @claude<\/code> on a PR. This is useful when you push additional commits and want a fresh review, or when you want Claude to focus on a specific aspect:<\/p>\n\n\n\n@claude Review this Terraform change for security issues, missing tags, and cost implications.<\/code><\/pre>\n\n\n\nThe action triggers within seconds. In our testing, the on-demand review ran for 6 turns (Claude read the diff, checked the CLAUDE.md rules, analyzed the security groups, and prepared its review) and completed in under 30 seconds.<\/p>\n\n\n\n
Customize the Review with CLAUDE.md<\/h2>\n\n\n\n
The action reads your repository’s CLAUDE.md<\/code> file, which means you can encode your team’s infrastructure standards. The action follows these rules during every review.<\/p>\n\n\n\n# Infrastructure Review Rules\n- Flag any security group with 0.0.0.0\/0 ingress on SSH (port 22)\n- Check all resources have Environment and ManagedBy tags\n- Verify no hardcoded credentials or secrets\n- Flag missing encryption settings on storage resources\n- Check CIDR blocks for overlapping ranges<\/code><\/pre>\n\n\n\nThis turns Claude from a generic code reviewer into an infrastructure-aware reviewer that knows your team’s tagging policy, security requirements, and naming conventions. The .claude directory guide<\/a> covers the full configuration system.<\/p>\n\n\n\nWhat the Action Catches<\/h2>\n\n\n\n
Based on our testing with deliberately insecure Terraform configurations, Claude Code consistently flags:<\/p>\n\n\n\n