Skip to content

Add Claude Code GitHub Workflow #1541

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
elibosley merged 2 commits into from
Jul 25, 2025
Merged

Add Claude Code GitHub Workflow #1541

elibosley merged 2 commits into from
Jul 25, 2025

Conversation

@elibosley
Copy link
Member

@elibosley elibosley commented Jul 25, 2025
edited by coderabbitai bot
Loading

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

  • Bug fixes and improvements
  • Documentation updates
  • Implementing new features
  • Code reviews and suggestions
  • Writing tests
  • And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

  • This workflow won't take effect until this PR is merged
  • @claude mentions won't work until after the merge is complete
  • The workflow runs automatically whenever Claude is mentioned in PR or issue comments
  • Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

  • Our Anthropic API key is securely stored as a GitHub Actions secret
  • Only users with write access to the repository can trigger the workflow
  • All Claude runs are stored in the GitHub Actions run history
  • Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
  • We can add more allowed tools by adding them to the workflow file like:
allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

Summary by CodeRabbit

  • New Features
    • Introduced automated code review using Claude AI for pull requests.
    • Added Claude AI code assistance, triggered by comments containing "@claude" in issues and pull requests.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jul 25, 2025
edited
Loading

Walkthrough

Two new GitHub Actions workflows are introduced: one for automated code review on pull requests using Claude, and another for Claude AI assistance triggered by specific comments or events in issues and pull requests. Both workflows configure permissions, use the Claude Code Action, and provide optional, commented-out customization settings.

Changes

File(s) Change Summary
.github/workflows/claude-code-review.yml Added workflow for automated Claude code review on pull request events with configurable options.
.github/workflows/claude.yml Added workflow for Claude AI assistance triggered by "@claude" in comments or issue events.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

In workflows new, the Claude bots wake,
Reviewing code for every sake.
With "@claude" they lend a hand,
On pull requests and issues, as planned.
Automated eyes, so sharp and keen—
Our CI/CD now runs pristine!
🤖✨

✨ Finishing Touches
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch add-claude-github-actions-1753466215444
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Explain this complex logic.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai explain this code block.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and explain its main purpose.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR.
  • @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
  • @coderabbitai generate unit tests to generate unit tests for this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@claude
Copy link

claude bot commented Jul 25, 2025
edited
Loading

Claude finished @elibosley's task —— View job

Claude Code PR Review

I've completed my review of the GitHub Actions workflows. Here's my comprehensive feedback:

Review Tasks:

  • Read and analyze .github/workflows/claude-code-review.yml
  • Read and analyze .github/workflows/claude.yml
  • Evaluate code quality and GitHub Actions best practices
  • Check for security concerns and vulnerabilities
  • Assess performance considerations
  • Look for potential bugs or issues
  • Provide comprehensive feedback and recommendations

🔍 Review Findings

Strengths

  1. Well-structured YAML: Both workflows follow proper GitHub Actions syntax and conventions
  2. Good documentation: Extensive inline comments explaining optional configurations
  3. Appropriate permissions: Minimal required permissions with proper scoping
  4. Performance optimized: Using fetch-depth: 1 for faster checkouts
  5. Flexible configuration: Many commented examples for customization

⚠️ Security Considerations

  1. Action version pinning (.github/workflows/claude-code-review.yml:36, .github/workflows/claude.yml:35):

    uses: anthropics/claude-code-action@beta  # ⚠️ Using @beta tag

    Recommendation: Pin to a specific version or commit SHA for better security and stability:

    uses: anthropics/[email protected]  # or specific commit SHA

  2. Token security: ✅ Properly using secrets for the OAuth token

🚀 Performance & Best Practices

  1. Efficient triggers: Good use of specific event types to avoid unnecessary runs
  2. Resource optimization: fetch-depth: 1 minimizes data transfer
  3. Conditional execution: Smart use of if conditions to control when jobs run

🐛 Potential Issues

  1. Beta stability (both files): Using @beta could introduce breaking changes unexpectedly
  2. Missing error handling: Consider adding steps to handle potential failures gracefully
  3. Resource limits: No timeout specified for long-running operations

📋 Recommendations for Improvement

  1. Pin action versions:

    # Replace @beta with specific version
uses: anthropics/[email protected]

  2. Add workflow timeouts (optional):

    jobs:
  claude-review:
    timeout-minutes: 10  # Prevent stuck workflows

  3. Consider enabling useful optional features:

    # In claude-code-review.yml
use_sticky_comment: true  # Reuse same comment for updates

# In claude.yml  
allowed_tools: "Bash(pnpm test),Bash(pnpm lint),Bash(pnpm type-check)"  # Match CLAUDE.md

  4. Repository-specific customization:

    # Add to claude.yml based on CLAUDE.md
custom_instructions: |
  Follow our coding standards in CLAUDE.md
  Use pnpm for package management
  Run type-check and lint before committing

🧪 Test Coverage

  • Documentation: Excellent inline documentation serves as "tests" for configuration options
  • Validation: GitHub Actions will validate YAML syntax automatically
  • Monitoring: Consider adding workflow status badges to README for visibility

📊 Overall Assessment

Rating: 8/10 - Well-implemented workflows with good structure and documentation. Main concerns are around version pinning and stability.

Priority fixes:

  1. Pin action versions instead of using @beta
  2. Consider adding repository-specific configurations based on CLAUDE.md

Nice-to-have improvements:

  1. Add workflow timeouts
  2. Enable sticky comments for cleaner PR experience
  3. Add allowed tools matching the project's development commands

The workflows are production-ready with the version pinning fix. Great job on the comprehensive documentation and flexible configuration options!

Job Run

@elibosley elibosley requested a review from mdatelle July 25, 2025 17:57
@github-actions
Copy link
Contributor

github-actions bot commented Jul 25, 2025

This plugin has been deployed to Cloudflare R2 and is available for testing.
Download it at this URL:

https://preview.dl.unraid.net/unraid-api/tag/PR1541/dynamix.unraid.net.plg

coderabbitai[bot]
coderabbitai bot reviewed Jul 25, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (4)
.github/workflows/claude.yml (2)

39-65: Strip trailing spaces & super-fluous blank line to satisfy YAML lint
YAMLlint is currently flagging six trailing-space violations (lines 42, 45, 48, 51, 54, 60) plus an extra blank line at the end (line 65). They don’t hurt execution, but they will keep the workflow from passing any strict CI lint stage and clutter git diffs.

@@
@@
@@
@@
@@
@@
@@
-65
+#

21-26: Re-evaluate necessity of id-token: write permission
The workflow doesn’t request any OIDC-based deploy step. Dropping this permission tightens the attack surface.

-      id-token: write
+#     id-token: write   # uncomment only if OIDC is actually required
.github/workflows/claude-code-review.yml (2)

40-56: Eliminate trailing spaces flagged by YAMLlint
Same cleanup as the other workflow—remove the six trailing-space offenders to keep lint green.

@@
@@

23-27: Same principle-of-least-privilege note for id-token: write
Unless the action genuinely needs OIDC, consider dropping this permission here as well.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 86b6c4f and cdf0de4.

📒 Files selected for processing (2)
  • .github/workflows/claude-code-review.yml (1 hunks)
  • .github/workflows/claude.yml (1 hunks)
🧰 Additional context used
🪛 YAMLlint (1.37.1)
.github/workflows/claude.yml

[error] 42-42: trailing spaces

(trailing-spaces)

[error] 45-45: trailing spaces

(trailing-spaces)

[error] 48-48: trailing spaces

(trailing-spaces)

[error] 51-51: trailing spaces

(trailing-spaces)

[error] 54-54: trailing spaces

(trailing-spaces)

[error] 60-60: trailing spaces

(trailing-spaces)

[warning] 64-64: too many blank lines (1 > 0)

(empty-lines)

.github/workflows/claude-code-review.yml

[error] 20-20: trailing spaces

(trailing-spaces)

[error] 27-27: trailing spaces

(trailing-spaces)

[error] 42-42: trailing spaces

(trailing-spaces)

[error] 51-51: trailing spaces

(trailing-spaces)

[error] 56-56: trailing spaces

(trailing-spaces)

[error] 64-64: trailing spaces

(trailing-spaces)

[error] 67-67: trailing spaces

(trailing-spaces)

[error] 70-70: trailing spaces

(trailing-spaces)

[error] 73-73: trailing spaces

(trailing-spaces)

[warning] 78-78: too many blank lines (1 > 0)

(empty-lines)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)
  • GitHub Check: Build Web App
  • GitHub Check: Build API
  • GitHub Check: Test API
  • GitHub Check: Analyze (javascript-typescript)
🔇 Additional comments (1)
.github/workflows/claude.yml (1)

35-38: Secret name sanity-check
Ensure the repository actually defines CLAUDE_CODE_OAUTH_TOKEN. Missing secrets cause silent job failures that can be hard to trace.

.github/workflows/claude-code-review.yml
Comment on lines +3 to +5
on:
pull_request:
types: [opened, synchronize]
Copy link
Contributor

@coderabbitai coderabbitai bot Jul 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

❓ Verification inconclusive

Secrets unavailable on forks – job will fail
pull_request workflows triggered from forked repositories do not receive repository secrets, so external contributors’ PRs will hit a permission error on the very first run of Claude. If you need reviews on forks, switch to pull_request_target; if not, document that limitation to avoid confusion.

Ensure secrets are available for forked PRs
GitHub Actions workflows triggered by pull_request from forked repos don’t have access to repository secrets. Any steps depending on secrets will fail on external contributors’ PRs.

Suggestions:

  • Switch the trigger to pull_request_target to allow workflows in forked PRs to access secrets.
  • Or, if you don’t want to grant secret access, add a note in .github/workflows/claude-code-review.yml (around line 3) or your contributor docs explaining that this workflow won’t run on forks due to missing secrets.
🤖 Prompt for AI Agents 
In .github/workflows/claude-code-review.yml around lines 3 to 5, the workflow is
triggered by pull_request which prevents access to repository secrets for forked
PRs. To fix this, change the trigger from pull_request to pull_request_target to
allow the workflow to access secrets on forked PRs. Alternatively, if you want
to restrict secret access, add a clear note in the workflow file or contributor
documentation explaining that the workflow will not run on forked PRs due to
missing secrets.

.github/workflows/claude.yml
Comment on lines +16 to +19
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
Copy link
Contributor

@coderabbitai coderabbitai bot Jul 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Edge case: empty review body breaks contains() filter
For pull_request_review, github.event.review.body can be null when the reviewer only sets a status (approve / request-changes) without a comment. Accessing contains(null, '@claude') raises an evaluation error and will fail the workflow.

Guard with a null-coalescing fallback:

-      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
+      (github.event_name == 'pull_request_review' && github.event.review.body != null && contains(github.event.review.body, '@claude')) ||
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review' && github.event.review.body != null && contains(github.event.review.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
🤖 Prompt for AI Agents 
In .github/workflows/claude.yml around lines 16 to 19, the condition uses
contains() on github.event.review.body which can be null if the review has no
comment, causing an evaluation error. Fix this by adding a null-coalescing
fallback to ensure the body is a string before calling contains(), for example
replacing github.event.review.body with github.event.review.body || ''.

pujitm
pujitm approved these changes Jul 25, 2025
View reviewed changes
Copy link
Member

@pujitm pujitm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is great! in the future, could we also add a workflow to keep our docs in sync?

@elibosley elibosley merged commit 4ff6a1a into main Jul 25, 2025
15 of 16 checks passed
@elibosley elibosley deleted the add-claude-github-actions-1753466215444 branch July 25, 2025 19:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@pujitm pujitm pujitm approved these changes

@mdatelle mdatelle Awaiting requested review from mdatelle

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@elibosley @pujitm