Add Claude Code GitHub Workflow

[ajamous]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

[claude]

Code Review: Claude Code GitHub Workflow Integration

Thank you for adding Claude Code integration! This is a well-structured PR that follows GitHub Actions best practices.

Strengths

1. Security Best Practices - Proper use of least-privilege permissions, secret management, and scoped tool access
2. Code Quality - Well-commented workflows with clean YAML structure
3. Workflow Design - Two separate workflows for automated reviews and on-demand assistance

Critical Security Issues

1. Missing pull-requests: write Permission

• Issue: claude-code-review.yml:22-26 only has read permissions
• Impact: Claude won't be able to post review comments via gh pr comment
• Fix: Change pull-requests: read to pull-requests: write

2. claude.yml Lacks Tool Restrictions

• Issue: Line 49 has no tool restrictions enabled
• Risk: Claude has access to all default tools including file modifications
• Fix: Add claude_args with explicit tool allowlist like claude-code-review.yml

Potential Issues

1. Recursive Workflow Risk - Claude might trigger itself when posting comments
2. Rate Limiting - synchronize events trigger on every PR push (could exhaust API quota)
3. Missing Timeouts - No timeout-minutes set for jobs (risk of hung workflows)

Recommendations

High Priority (Before Merge):

1. Add pull-requests: write to claude-code-review.yml (required for functionality)
2. Add explicit tool restrictions to claude.yml (security hardening)
3. Add timeout-minutes: 15 to both workflows (resource management)

Medium Priority:

4. Add concurrency controls to prevent duplicate runs
5. Filter automated reviews to non-draft PRs only
6. Add bot detection to prevent recursive triggers

Low Priority:

7. Document Claude capabilities in CLAUDE.md
8. Add workflow status badge to README
9. Include example @claude commands in documentation

Repository-Specific Security Notes

OpenTextShield is security-focused with Docker builds and ML models. I strongly recommend:

• Restricting Claude's Bash tools to read-only operations in claude.yml
• Never allowing Docker build/push commands via Claude
• Monitoring Claude's actions carefully during initial deployment

Conclusion

Review Score: 8/10 - Excellent foundation with minor security hardening needed.

This PR will be production-ready after addressing the 3 high-priority items above. Let me know if you'd like me to prepare a commit with these changes!