Skip to content

Add Claude Code GitHub Workflow #54

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
RETR0-OS merged 2 commits into from
Feb 17, 2026
Merged

Add Claude Code GitHub Workflow #54

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e7f1f85
"Claude PR Assistant workflow"
RETR0-OS Feb 17, 2026
ab8351b
"Claude Code Review workflow"
RETR0-OS Feb 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions .github/workflows/claude-code-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
name: Claude Code Review

on:
pull_request:
types: [opened, synchronize, ready_for_review, reopened]
# Optional: Only run on specific file changes
# paths:
# - "src/**/*.ts"
# - "src/**/*.tsx"
# - "src/**/*.js"
# - "src/**/*.jsx"
Comment on lines +7 to +11
Copy link

Copilot AI Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow always runs on all pull requests (opened, synchronize, ready_for_review, reopened) without any filters. This could result in significant API costs and resource usage as every PR change will trigger an automated Claude review.

Consider uncommenting and configuring the path filters (lines 6-11) to only run on code files that actually need review, or add a condition to only run when specifically requested via a label or comment. The commented author filter (lines 15-19) could also be useful to limit automated reviews to certain contributors.

Suggested change
# paths:
# - "src/**/*.ts"
# - "src/**/*.tsx"
# - "src/**/*.js"
# - "src/**/*.jsx"
paths:
- "src/**/*.ts"
- "src/**/*.tsx"
- "src/**/*.js"
- "src/**/*.jsx"

Copilot uses AI. Check for mistakes.

jobs:
claude-review:
# Optional: Filter by PR author
# if: |
# github.event.pull_request.user.login == 'external-contributor' ||
# github.event.pull_request.user.login == 'new-developer' ||
# github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'

runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
Copy link

Copilot AI Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow appears to be set up for automated code review on every PR, but the permissions block only grants read access to pull-requests. If the intent is for Claude to post review comments (as suggested by the workflow name "Claude Code Review"), write permission for pull-requests would be needed.

If the workflow is intended to only analyze PRs without posting comments, this is fine. However, if Claude should post review feedback, add pull-requests: write to the permissions block. Consider clarifying the intended behavior in the workflow comments.

Suggested change
pull-requests: read
pull-requests: write # Needed so Claude can post review comments on the PR

Copilot uses AI. Check for mistakes.
issues: read
Copy link

Copilot AI Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The permissions block is missing the actions: read permission that is mentioned in the claude.yml workflow and the inline comment on line 26. This permission is needed for Claude to read CI results on PRs as mentioned in the comment.

Add actions: read to the permissions block to match the stated requirement and ensure Claude can access CI/CD results when performing code reviews.

Suggested change
issues: read
issues: read
actions: read

Copilot uses AI. Check for mistakes.
id-token: write

steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1

- name: Run Claude Code Review
id: claude-review
uses: anthropics/claude-code-action@v1
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
plugins: 'code-review@claude-code-plugins'
Comment on lines +39 to +40
Copy link

Copilot AI Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow references a GitHub repository URL and plugins that are not verified or documented in the PR. The URL https://github.com/anthropics/claude-code.git and the plugin code-review@claude-code-plugins need to be validated to exist and be trustworthy before merging.

Verify that these resources exist and are official Anthropic repositories. Consider adding documentation about what these plugins do and why they're required for the code review functionality.

Suggested change
plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
plugins: 'code-review@claude-code-plugins'
# NOTE: Custom plugin marketplaces and plugins are intentionally not configured here.
# Only add explicit marketplaces/plugins after verifying they are official Anthropic
# resources and documenting why they are required for code review in this repo.

Copilot uses AI. Check for mistakes.
prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'
Copy link

Copilot AI Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The prompt hardcodes the GitHub repository reference using a dynamic variable, but there's no validation that the pull request number is valid or that the repository context is correctly formatted. If the variables are malformed, Claude could receive an invalid prompt.

Add error handling or validation to ensure the constructed prompt is valid before being passed to Claude. Consider using a more robust prompt construction method or validating that github.event.pull_request.number exists and is numeric.

Copilot uses AI. Check for mistakes.
# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
# or https://code.claude.com/docs/en/cli-reference for available options

50 changes: 50 additions & 0 deletions .github/workflows/claude.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
name: Claude Code

on:
issue_comment:
types: [created]
pull_request_review_comment:
types: [created]
issues:
types: [opened, assigned]
pull_request_review:
types: [submitted]

jobs:
claude:
if: |
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
Comment on lines +16 to +19
Copy link

Copilot AI Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description states "Only users with write access to the repository can trigger the workflow", but there are no explicit permission checks in the workflow conditions to enforce this. GitHub Actions do have default protections, but the workflow doesn't validate the user's permission level before running.

Consider adding an explicit check in the workflow condition to verify the commenter has write permissions, such as checking github.event.comment.author_association is OWNER, MEMBER, or COLLABORATOR. This makes the security model explicit and prevents confusion about who can trigger Claude.

Suggested change
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
(
github.event_name == 'issue_comment' &&
contains(github.event.comment.body, '@claude') &&
(
github.event.comment.author_association == 'OWNER' ||
github.event.comment.author_association == 'MEMBER' ||
github.event.comment.author_association == 'COLLABORATOR'
)
) ||
(
github.event_name == 'pull_request_review_comment' &&
contains(github.event.comment.body, '@claude') &&
(
github.event.comment.author_association == 'OWNER' ||
github.event.comment.author_association == 'MEMBER' ||
github.event.comment.author_association == 'COLLABORATOR'
)
) ||
(
github.event_name == 'pull_request_review' &&
contains(github.event.review.body, '@claude') &&
(
github.event.review.author_association == 'OWNER' ||
github.event.review.author_association == 'MEMBER' ||
github.event.review.author_association == 'COLLABORATOR'
)
) ||
(
github.event_name == 'issues' &&
(
contains(github.event.issue.body, '@claude') ||
contains(github.event.issue.title, '@claude')
) &&
(
github.event.issue.author_association == 'OWNER' ||
github.event.issue.author_association == 'MEMBER' ||
github.event.issue.author_association == 'COLLABORATOR'
)
)

Copilot uses AI. Check for mistakes.
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
issues: read
id-token: write
actions: read # Required for Claude to read CI results on PRs
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1

- name: Run Claude Code
id: claude
uses: anthropics/claude-code-action@v1
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
Copy link

Copilot AI Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description states that the secret should be ANTHROPIC_API_KEY, but the workflow uses CLAUDE_CODE_OAUTH_TOKEN. This inconsistency could lead to confusion during setup.

Update the PR description to reference CLAUDE_CODE_OAUTH_TOKEN as the correct secret name, or clarify that both names are being used in the documentation to match what's actually configured in the workflow files.

Copilot uses AI. Check for mistakes.

# This is an optional setting that allows Claude to read CI results on PRs
additional_permissions: |
actions: read

# Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.
# prompt: 'Update the pull request description to include a summary of changes.'

# Optional: Add claude_args to customize behavior and configuration
# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
# or https://code.claude.com/docs/en/cli-reference for available options
# claude_args: '--allowed-tools Bash(gh pr:*)'