Skip to content

Add Claude Code GitHub Workflow#364

Merged
VVoruganti merged 5 commits into
mainfrom
add-claude-github-actions-1770136946872
Feb 3, 2026
Merged

Add Claude Code GitHub Workflow#364
VVoruganti merged 5 commits into
mainfrom
add-claude-github-actions-1770136946872

Conversation

@VVoruganti

@VVoruganti VVoruganti commented Feb 3, 2026

Copy link
Copy Markdown
Collaborator

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

  • Bug fixes and improvements
  • Documentation updates
  • Implementing new features
  • Code reviews and suggestions
  • Writing tests
  • And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

  • This workflow won't take effect until this PR is merged
  • @claude mentions won't work until after the merge is complete
  • The workflow runs automatically whenever Claude is mentioned in PR or issue comments
  • Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

  • Our Anthropic API key is securely stored as a GitHub Actions secret
  • Only users with write access to the repository can trigger the workflow
  • All Claude runs are stored in the GitHub Actions run history
  • Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
  • We can add more allowed tools by adding them to the workflow file like:
allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

Summary by CodeRabbit

  • New Features
    • Adds an automated code-review workflow that runs on pull request events and targets changed source and test files.
    • Adds a comment-triggered review option: mention the review assistant in comments to request on-demand analysis; includes optional configuration for prompts and permissions.

@coderabbitai

coderabbitai Bot commented Feb 3, 2026

Copy link
Copy Markdown
Contributor

Walkthrough

Adds a new GitHub Actions workflow .github/workflows/claude.yml that provides two jobs: an automatic PR code-review job triggered on PR events and an on-demand job triggered by @claude-style comments or reviews.

Changes

Cohort / File(s) Summary
GitHub Actions Workflow
.github/workflows/claude.yml
New workflow file introducing two jobs: claude-review (runs on PR open/synchronize/ready_for_review/reopened for changes under src/** and tests/**) and claude (runs when comments or reviews mention @claude and are authored by OWNER/MEMBER/COLLABORATOR). Both jobs run on ubuntu-latest, use anthropics/claude-code-action@v1`, include 15-minute timeouts, checkout the repo, and include example/commented configuration for prompts, claude_args, and additional_permissions.

Sequence Diagram(s)

sequenceDiagram
    participant PR as Pull Request / Issue Comment
    participant GH as GitHub Actions
    participant Runner as Actions Runner (ubuntu-latest)
    participant Checkout as actions/checkout
    participant ClaudeAction as anthropics/claude-code-action@v1
    participant Claude as Claude Service

    PR->>GH: event (PR opened/sync/ready_for_review/reopened) or comment mentioning `@claude`
    GH->>Runner: schedule job (claude-review or claude)
    Runner->>Checkout: checkout repo
    Runner->>ClaudeAction: run Claude Code Action (with token, plugin settings)
    ClaudeAction->>Claude: send repo context + prompt/args
    Claude->>ClaudeAction: return review results
    ClaudeAction->>Runner: output results (logs / annotations)
    Runner->>GH: job completes (annotations or comment posted)
Loading

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A new rabbit hops into CI’s light,
Claude nudges through PRs, checking each bite,
Quick whispers in comments, a helpful review,
Hops, notes, and fixes — a brighter pipeline view! ✨

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'Add Claude Code GitHub Workflow' directly and clearly describes the main change: adding a new GitHub Actions workflow for Claude Code integration.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch add-claude-github-actions-1770136946872

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Fix all issues with AI agents
In @.github/workflows/claude-code-review.yml:
- Around line 29-36: Replace the two action references that use tags —
actions/checkout@v4 and anthropics/claude-code-action@v1 — with their
corresponding full 40-character commit SHAs while keeping the tag/version as an
inline comment for clarity; update the workflow step definitions for "Checkout
repository" and "Run Claude Code Review" to use uses:
actions/checkout@<FULL_SHA> and uses: anthropics/claude-code-action@<FULL_SHA>
respectively, and add an adjacent comment like # tag: v4 or # tag: v1 to
preserve the readable version; optionally configure Dependabot for automated SHA
updates.

In @.github/workflows/claude.yml:
- Around line 15-19: The workflow if-condition in the claude.yml currently
triggers on any comment containing "@claude"; restrict it to users with
write-level association by extending each branch to also check the author's
association field (e.g., github.event.comment.author_association,
github.event.review.author_association, github.event.issue.author_association)
and require one of the approved values such as 'OWNER', 'MEMBER', or
'COLLABORATOR' (combine with logical &&), so only those associations can invoke
the workflow from the existing if block.
- Around line 28-36: Replace the mutable version tags used in the workflow
"uses" declarations with immutable commit SHAs: locate the two uses entries
referencing "actions/checkout@v4" and "anthropics/claude-code-action@v1" and
update them to the corresponding full commit SHA pins for those repositories
(e.g., actions/checkout@<commit-sha> and
anthropics/claude-code-action@<commit-sha>); ensure you pick the exact commit
SHA that matches the desired tagged release and update any lockfile or workflow
comments to reflect the SHA to prevent accidental retagging or deletion.
🧹 Nitpick comments (1)
.github/workflows/claude-code-review.yml (1)

22-26: Least‑privilege: confirm id-token: write is required.
If the action only uses CLAUDE_CODE_OAUTH_TOKEN, drop OIDC to reduce token‑minting exposure.

🔧 Proposed reduction (if OIDC is not required)
 permissions:
   contents: read
   pull-requests: read
   issues: read
-  id-token: write

Comment thread .github/workflows/claude-code-review.yml Outdated
Comment thread .github/workflows/claude.yml Outdated
Comment thread .github/workflows/claude.yml

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Fix all issues with AI agents
In @.github/workflows/claude.yml:
- Around line 17-46: The claude-review job references github.event.pull_request
but lacks an if guard, so add an if: condition to the claude-review job to only
run on pull_request events (e.g., if: github.event_name == 'pull_request') to
prevent malformed concurrency group and prompt; modify the claude-review job
block (job name "claude-review", fields "concurrency: group" and "with: prompt")
to include this if line directly under the job declaration.
🧹 Nitpick comments (1)
.github/workflows/claude.yml (1)

86-87: Redundant actions: read permission.

The additional_permissions setting specifies actions: read, but this is already declared in the job's permissions block at line 72. This duplication is harmless but unnecessary.

♻️ Proposed fix
          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

-          # This is an optional setting that allows Claude to read CI results on PRs
-          additional_permissions: |
-            actions: read
-
           # Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.

Comment thread .github/workflows/claude.yml

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Fix all issues with AI agents
In @.github/workflows/claude.yml:
- Around line 17-41: The claude-review job references the secret
CLAUDE_CODE_OAUTH_TOKEN and will fail on forked pull requests because repository
secrets aren’t exposed to pull_request events; either add documentation in the
PR template/CONTRIBUTING noting this limitation for external contributors, or
change the job trigger to pull_request_target and harden the workflow by keeping
the job id/name claude-review, retaining the anthropics/claude-code-action
usage, and ensuring you perform a safe checkout (avoid checking out untrusted
fork code or use a separate checkout pattern that fetches only trusted refs) or
gate the review step behind an approval workflow so secrets aren’t exposed to
untrusted code.
- Around line 24-29: Remove the unnecessary id-token: write permission from the
workflow's job permissions blocks: locate the permissions map(s) containing keys
like contents, pull-requests, issues, id-token, actions and delete the id-token:
write entry in each block (the workflow uses explicit claude_code_oauth_token so
OIDC id-token is not needed) while keeping the other permissions intact to
enforce least-privilege.

Comment thread .github/workflows/claude.yml
Comment on lines +24 to +29
permissions:
contents: read
pull-requests: read
issues: read
id-token: write
actions: read

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

find .github -name "claude.yml" -type f

Repository: plastic-labs/honcho

Length of output: 91


🏁 Script executed:

cat -n .github/workflows/claude.yml | head -100

Repository: plastic-labs/honcho

Length of output: 4335


🌐 Web query:

anthropics/claude-code-action GitHub OIDC id-token requirements

💡 Result:

For anthropics/claude-code-action, the GitHub Actions OIDC id-token permission is only required when the action is using OIDC-based authentication (not when you explicitly pass a GitHub token).

When you DO need permissions: id-token: write

1) Using the default Claude GitHub App authentication (OIDC)

If you rely on the Claude GitHub App’s default auth flow, your workflow/job must grant OIDC token minting:

permissions:
  id-token: write

Otherwise runs fail with an OIDC error like “Unable to get ACTIONS_ID_TOKEN_REQUEST_URL … Did you remember to add id-token: write…”. [1]

This exact missing-permission failure has been reported as a critical issue for generated workflows. [2]

2) Using cloud-provider OIDC (AWS Bedrock / Google Vertex AI)

If you authenticate to AWS/GCP from GitHub Actions via Workload Identity/OIDC (as Anthropic’s docs describe for Bedrock/Vertex setups), you will also need id-token: write for those OIDC federation steps. [3]

When you DON’T need id-token: write

If you provide a github_token input (PAT or GitHub App installation token) and don’t use the OIDC-based default flow, you can avoid the OIDC id-token requirement. [1]


Sources:
[1] claude-code-action FAQ (OIDC errors / id-token: write vs github_token input) https://git.homeinfra.org/actions/claude-code-action/src/tag/v0.0.35/FAQ.md
[2] GitHub issue: missing id-token: write causes OIDC failure anthropics/claude-code-action#625
[3] Anthropic docs (Bedrock/Vertex prerequisites include GitHub OIDC / Workload Identity) https://docs.anthropic.com/en/docs/claude-code/github-actions


Remove id-token: write from both job permissions blocks.

The anthropics/claude-code-action is configured with an explicit claude_code_oauth_token, not relying on GitHub's default OIDC authentication. Since an OAuth token is provided directly, the id-token: write permission is unnecessary and can be removed to tighten least-privilege access.

♻️ Changes required at lines 24-29 and 68-73
     permissions:
       contents: read
       pull-requests: read
       issues: read
-      id-token: write
       actions: read
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
contents: read
pull-requests: read
issues: read
id-token: write
actions: read
permissions:
contents: read
pull-requests: read
issues: read
actions: read
🤖 Prompt for AI Agents
In @.github/workflows/claude.yml around lines 24 - 29, Remove the unnecessary
id-token: write permission from the workflow's job permissions blocks: locate
the permissions map(s) containing keys like contents, pull-requests, issues,
id-token, actions and delete the id-token: write entry in each block (the
workflow uses explicit claude_code_oauth_token so OIDC id-token is not needed)
while keeping the other permissions intact to enforce least-privilege.

@VVoruganti VVoruganti merged commit 058bf62 into main Feb 3, 2026
17 checks passed
@VVoruganti VVoruganti deleted the add-claude-github-actions-1770136946872 branch February 3, 2026 18:44
ranc1 pushed a commit to ranc1/honcho that referenced this pull request Apr 16, 2026
* "Claude PR Assistant workflow"

* "Claude Code Review workflow"

* fix: delete separate code-review.yml

* fix: condense and fix claude and claude review workflows

* add PR guard

---------

Co-authored-by: Rajat Ahuja <rahuja445@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants