Add Claude Code GitHub Workflow

[ozzy2438]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

Summary by Sourcery

Integrate the Claude Code GitHub App by adding two workflows: one for automated review of pull requests and another for interactive AI actions when @claude is mentioned, with secure token storage and scoped permissions.

New Features:

• Add a GitHub Actions workflow to run automated Claude Code reviews on pull requests with a direct prompt configuration
• Add a GitHub Actions workflow to trigger Claude Code in response to @claude mentions in issues and PR comments

[sourcery-ai]

Reviewer's Guide

This PR adds two GitHub Actions workflows to integrate Claude Code into the repo: one automates pull request reviews with a customizable prompt, and the other triggers Claude on issue and review comments via @claude mentions. Both workflows define event triggers, permissions, checkout steps, and invoke the anthropics/claude-code-action with configurable options.

Sequence diagram for @claude mention workflow trigger

sequenceDiagram
  actor User
  participant GitHub
  participant Workflow as "claude.yml Workflow"
  participant Runner as "GitHub Actions Runner"
  participant ClaudeAction as "Claude Code Action"
  participant ClaudeAPI as "Anthropic API (Claude)"

  User->>GitHub: Create comment with @claude
  GitHub->>Workflow: Trigger workflow (claude.yml)
  Workflow->>Runner: Start job
  Runner->>ClaudeAction: Run anthropics/claude-code-action
  ClaudeAction->>ClaudeAPI: Send context and request
  ClaudeAPI-->>ClaudeAction: Return response
  ClaudeAction->>GitHub: Post comment/commit with results

Loading

Sequence diagram for automated Claude PR review workflow

sequenceDiagram
  participant GitHub
  participant Workflow as "claude-code-review.yml Workflow"
  participant Runner as "GitHub Actions Runner"
  participant ClaudeAction as "Claude Code Action"
  participant ClaudeAPI as "Anthropic API (Claude)"

  GitHub->>Workflow: PR opened or synchronized
  Workflow->>Runner: Start job
  Runner->>ClaudeAction: Run anthropics/claude-code-action with review prompt
  ClaudeAction->>ClaudeAPI: Send PR context and review prompt
  ClaudeAPI-->>ClaudeAction: Return review feedback
  ClaudeAction->>GitHub: Post review comment on PR

Loading

File-Level Changes

Change	Details	Files
Add pull request review workflow for Claude Code	Define pull_request triggers for opened and synchronized events Set job permissions and runner configuration Checkout repository with minimal history Invoke anthropics/claude-code-action with direct_prompt and optional settings	.github/workflows/claude-code-review.yml
Add interactive Claude Code workflow for comments and reviews	Configure triggers on issue_comment, pull_request_review_comment, issues, and pull_request_review events Apply conditional execution when @claude is mentioned Set up runner, permissions (including actions: read) Checkout code and run anthropics/claude-code-action with additional_permissions and optional parameters	.github/workflows/claude.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[claude]

Claude finished @ozzy2438's task —— View job

---

Code Review Complete ✅

I've thoroughly reviewed both Claude Code workflow files. Here's my comprehensive feedback:

Todo List:

• Read and analyze .github/workflows/claude-code-review.yml
• Read and analyze .github/workflows/claude.yml
• Review security configurations and permissions
• Check workflow syntax and structure
• Evaluate triggers and event handling
• Assess performance considerations
• Identify potential bugs or issues
• Provide comprehensive feedback and recommendations

---

🔒 Security Review

Strengths:

• ✅ Properly uses GitHub secrets for API token (.claude-code-review.yml:38, .claude.yml:37)
• ✅ Minimal, well-scoped permissions with principle of least privilege
• ✅ Uses official GitHub and Anthropic actions
• ✅ Secure checkout with fetch-depth: 1 to limit history exposure

Concerns & Recommendations:

• ⚠️ HIGH PRIORITY: Both workflows use @beta tag for anthropics/claude-code-action (.claude-code-review.yml:36, .claude.yml:35). Consider:
  • Pin to a specific version hash for production stability
  • Or use a stable release tag when available
  • Monitor the action repository for stable releases

🏗️ Code Quality & Best Practices

Strengths:

• ✅ Clean YAML syntax with proper indentation
• ✅ Excellent documentation with helpful comments
• ✅ Good separation of concerns (automated vs manual workflows)
• ✅ Comprehensive examples in comments for customization

Minor Improvements:

• The conditional logic in .claude.yml:15-19 could be simplified using YAML anchors for maintainability
• Consider adding workflow-level timeout for cost control

🐛 Potential Issues

1. Workflow Naming: Both workflows could trigger simultaneously on PR comments. Consider:

   • Adding mutual exclusion logic
   • Or clarifying when each should be used

2. Missing Error Handling: No explicit failure handling or notification strategy

3. Resource Limits: No timeout specified - could lead to runaway costs

⚡ Performance Considerations

Optimizations in place:

• ✅ fetch-depth: 1 minimizes checkout time
• ✅ Efficient triggers that only run when needed
• ✅ Uses ubuntu-latest (fastest GitHub runner)

Recommendations:

• Add timeout-minutes: 30 to jobs to prevent runaway executions
• Consider using paths filters in claude-code-review.yml to only run on code changes

🧪 Test Coverage

Current State: No test coverage for the workflows themselves

Recommendations:

• Consider adding a simple test workflow that validates YAML syntax
• Add integration tests for the Claude Code action (when available)
• Document expected behavior and manual testing procedures

📋 Additional Recommendations

1. Documentation: Create a CLAUDE.md file to document:

   • How developers should use @claude mentions
   • Coding standards and preferences for Claude
   • Project-specific guidelines

2. Monitoring: Consider adding workflow status badges to README

3. Gradual Rollout: Start with claude-code-review.yml disabled and enable after testing claude.yml

🎯 Summary

The workflows are well-structured and follow GitHub Actions best practices. The main concerns are around version pinning for security and stability. The code quality is high with excellent documentation.

Priority Actions:

1. Pin anthropics/claude-code-action to a stable version/hash
2. Add job timeouts for cost control
3. Consider creating CLAUDE.md for project-specific guidelines

Overall, this is a solid implementation that will provide good Claude Code integration for your repository! 🚀

---

[sourcery-ai]

Hey @ozzy2438 - I've reviewed your changes - here's some feedback:

• Add conditional path filters to the workflows (e.g. only trigger on .ts, .js, etc.) to avoid unnecessary runs on non-code or documentation changes.
• Incorporate skip conditions (like draft PR checks or [skip-review] labels) in your if statements to prevent accidental or work-in-progress triggers.
• Consider consolidating the two workflows into a single parameterized workflow file to reduce duplication and simplify long-term maintenance.

Prompt for AI Agents

Please address the comments from this code review:
## Overall Comments
- Add conditional path filters to the workflows (e.g. only trigger on `.ts`, `.js`, etc.) to avoid unnecessary runs on non-code or documentation changes.
- Incorporate skip conditions (like draft PR checks or `[skip-review]` labels) in your `if` statements to prevent accidental or work-in-progress triggers.
- Consider consolidating the two workflows into a single parameterized workflow file to reduce duplication and simplify long-term maintenance.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}