Add Claude Code GitHub Workflow#364
Conversation
WalkthroughAdds a new GitHub Actions workflow Changes
Sequence Diagram(s)sequenceDiagram
participant PR as Pull Request / Issue Comment
participant GH as GitHub Actions
participant Runner as Actions Runner (ubuntu-latest)
participant Checkout as actions/checkout
participant ClaudeAction as anthropics/claude-code-action@v1
participant Claude as Claude Service
PR->>GH: event (PR opened/sync/ready_for_review/reopened) or comment mentioning `@claude`
GH->>Runner: schedule job (claude-review or claude)
Runner->>Checkout: checkout repo
Runner->>ClaudeAction: run Claude Code Action (with token, plugin settings)
ClaudeAction->>Claude: send repo context + prompt/args
Claude->>ClaudeAction: return review results
ClaudeAction->>Runner: output results (logs / annotations)
Runner->>GH: job completes (annotations or comment posted)
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Fix all issues with AI agents
In @.github/workflows/claude-code-review.yml:
- Around line 29-36: Replace the two action references that use tags —
actions/checkout@v4 and anthropics/claude-code-action@v1 — with their
corresponding full 40-character commit SHAs while keeping the tag/version as an
inline comment for clarity; update the workflow step definitions for "Checkout
repository" and "Run Claude Code Review" to use uses:
actions/checkout@<FULL_SHA> and uses: anthropics/claude-code-action@<FULL_SHA>
respectively, and add an adjacent comment like # tag: v4 or # tag: v1 to
preserve the readable version; optionally configure Dependabot for automated SHA
updates.
In @.github/workflows/claude.yml:
- Around line 15-19: The workflow if-condition in the claude.yml currently
triggers on any comment containing "@claude"; restrict it to users with
write-level association by extending each branch to also check the author's
association field (e.g., github.event.comment.author_association,
github.event.review.author_association, github.event.issue.author_association)
and require one of the approved values such as 'OWNER', 'MEMBER', or
'COLLABORATOR' (combine with logical &&), so only those associations can invoke
the workflow from the existing if block.
- Around line 28-36: Replace the mutable version tags used in the workflow
"uses" declarations with immutable commit SHAs: locate the two uses entries
referencing "actions/checkout@v4" and "anthropics/claude-code-action@v1" and
update them to the corresponding full commit SHA pins for those repositories
(e.g., actions/checkout@<commit-sha> and
anthropics/claude-code-action@<commit-sha>); ensure you pick the exact commit
SHA that matches the desired tagged release and update any lockfile or workflow
comments to reflect the SHA to prevent accidental retagging or deletion.
🧹 Nitpick comments (1)
.github/workflows/claude-code-review.yml (1)
22-26: Least‑privilege: confirmid-token: writeis required.
If the action only usesCLAUDE_CODE_OAUTH_TOKEN, drop OIDC to reduce token‑minting exposure.🔧 Proposed reduction (if OIDC is not required)
permissions: contents: read pull-requests: read issues: read - id-token: write
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In @.github/workflows/claude.yml:
- Around line 17-46: The claude-review job references github.event.pull_request
but lacks an if guard, so add an if: condition to the claude-review job to only
run on pull_request events (e.g., if: github.event_name == 'pull_request') to
prevent malformed concurrency group and prompt; modify the claude-review job
block (job name "claude-review", fields "concurrency: group" and "with: prompt")
to include this if line directly under the job declaration.
🧹 Nitpick comments (1)
.github/workflows/claude.yml (1)
86-87: Redundantactions: readpermission.The
additional_permissionssetting specifiesactions: read, but this is already declared in the job'spermissionsblock at line 72. This duplication is harmless but unnecessary.♻️ Proposed fix
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} - # This is an optional setting that allows Claude to read CI results on PRs - additional_permissions: | - actions: read - # Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Fix all issues with AI agents
In @.github/workflows/claude.yml:
- Around line 17-41: The claude-review job references the secret
CLAUDE_CODE_OAUTH_TOKEN and will fail on forked pull requests because repository
secrets aren’t exposed to pull_request events; either add documentation in the
PR template/CONTRIBUTING noting this limitation for external contributors, or
change the job trigger to pull_request_target and harden the workflow by keeping
the job id/name claude-review, retaining the anthropics/claude-code-action
usage, and ensuring you perform a safe checkout (avoid checking out untrusted
fork code or use a separate checkout pattern that fetches only trusted refs) or
gate the review step behind an approval workflow so secrets aren’t exposed to
untrusted code.
- Around line 24-29: Remove the unnecessary id-token: write permission from the
workflow's job permissions blocks: locate the permissions map(s) containing keys
like contents, pull-requests, issues, id-token, actions and delete the id-token:
write entry in each block (the workflow uses explicit claude_code_oauth_token so
OIDC id-token is not needed) while keeping the other permissions intact to
enforce least-privilege.
| permissions: | ||
| contents: read | ||
| pull-requests: read | ||
| issues: read | ||
| id-token: write | ||
| actions: read |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
find .github -name "claude.yml" -type fRepository: plastic-labs/honcho
Length of output: 91
🏁 Script executed:
cat -n .github/workflows/claude.yml | head -100Repository: plastic-labs/honcho
Length of output: 4335
🌐 Web query:
anthropics/claude-code-action GitHub OIDC id-token requirements
💡 Result:
For anthropics/claude-code-action, the GitHub Actions OIDC id-token permission is only required when the action is using OIDC-based authentication (not when you explicitly pass a GitHub token).
When you DO need permissions: id-token: write
1) Using the default Claude GitHub App authentication (OIDC)
If you rely on the Claude GitHub App’s default auth flow, your workflow/job must grant OIDC token minting:
permissions:
id-token: writeOtherwise runs fail with an OIDC error like “Unable to get ACTIONS_ID_TOKEN_REQUEST_URL … Did you remember to add id-token: write…”. [1]
This exact missing-permission failure has been reported as a critical issue for generated workflows. [2]
2) Using cloud-provider OIDC (AWS Bedrock / Google Vertex AI)
If you authenticate to AWS/GCP from GitHub Actions via Workload Identity/OIDC (as Anthropic’s docs describe for Bedrock/Vertex setups), you will also need id-token: write for those OIDC federation steps. [3]
When you DON’T need id-token: write
If you provide a github_token input (PAT or GitHub App installation token) and don’t use the OIDC-based default flow, you can avoid the OIDC id-token requirement. [1]
Sources:
[1] claude-code-action FAQ (OIDC errors / id-token: write vs github_token input) https://git.homeinfra.org/actions/claude-code-action/src/tag/v0.0.35/FAQ.md
[2] GitHub issue: missing id-token: write causes OIDC failure anthropics/claude-code-action#625
[3] Anthropic docs (Bedrock/Vertex prerequisites include GitHub OIDC / Workload Identity) https://docs.anthropic.com/en/docs/claude-code/github-actions
Remove id-token: write from both job permissions blocks.
The anthropics/claude-code-action is configured with an explicit claude_code_oauth_token, not relying on GitHub's default OIDC authentication. Since an OAuth token is provided directly, the id-token: write permission is unnecessary and can be removed to tighten least-privilege access.
♻️ Changes required at lines 24-29 and 68-73
permissions:
contents: read
pull-requests: read
issues: read
- id-token: write
actions: read📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| permissions: | |
| contents: read | |
| pull-requests: read | |
| issues: read | |
| id-token: write | |
| actions: read | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| issues: read | |
| actions: read |
🤖 Prompt for AI Agents
In @.github/workflows/claude.yml around lines 24 - 29, Remove the unnecessary
id-token: write permission from the workflow's job permissions blocks: locate
the permissions map(s) containing keys like contents, pull-requests, issues,
id-token, actions and delete the id-token: write entry in each block (the
workflow uses explicit claude_code_oauth_token so OIDC id-token is not needed)
while keeping the other permissions intact to enforce least-privilege.
* "Claude PR Assistant workflow" * "Claude Code Review workflow" * fix: delete separate code-review.yml * fix: condense and fix claude and claude review workflows * add PR guard --------- Co-authored-by: Rajat Ahuja <rahuja445@gmail.com>
🤖 Installing Claude Code GitHub App
This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.
What is Claude Code?
Claude Code is an AI coding agent that can help with:
How it works
Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.
Important Notes
Security
There's more information in the Claude Code action repo.
After merging this PR, let's try mentioning @claude in a comment on any PR to get started!
Summary by CodeRabbit