Skip to content

Add Claude Code GitHub Workflow#15

Open
justin808 wants to merge 5 commits into
mainfrom
add-claude-github-actions-1782717923448
Open

Add Claude Code GitHub Workflow#15
justin808 wants to merge 5 commits into
mainfrom
add-claude-github-actions-1782717923448

Conversation

@justin808

@justin808 justin808 commented Jun 29, 2026

Copy link
Copy Markdown
Member

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

  • Bug fixes and improvements
  • Documentation updates
  • Implementing new features
  • Code reviews and suggestions
  • Writing tests
  • And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

  • This workflow won't take effect until this PR is merged
  • @claude mentions won't work until after the merge is complete
  • The workflow runs automatically whenever Claude is mentioned in PR or issue comments
  • Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

  • Our Anthropic API key is securely stored as a GitHub Actions secret
  • Only users with write access to the repository can trigger the workflow
  • All Claude runs are stored in the GitHub Actions run history
  • Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
  • We can add more allowed tools by adding them to the workflow file like:
allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

Summary by CodeRabbit

  • New Features
    • Added AI-assisted code review workflows for pull requests and comment-based triggers.
    • Introduced a deeper review mode that runs only when specifically requested via a command phrase.
    • Enabled AI assistance when comments or issue text include a trigger keyword.
  • Bug Fixes
    • Improved workflow verification to prevent “silent success” cases and ensure invalid/expired review runs fail instead of passing.

@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown

Review Change Stack

Walkthrough

Three GitHub Actions workflows are added for Claude Code: an automatic PR review workflow with error verification, a /claude-deep-review command workflow, and an @claude mention workflow for issues and PR comments.

Changes

Claude CI Workflows

Layer / File(s) Summary
Automatic PR code review with silent-success fix
.github/workflows/claude-code-review.yml
Triggers on PR events, runs anthropics/claude-code-action@v1 with a structured prompt restricted to inline GitHub comments, and adds a Bash verification step that parses the action's execution_file via jq to fail the job when .is_error is true.
Command-triggered deep review
.github/workflows/claude-deep-review.yml
Triggers on created issue comments only when the comment is on a pull request and includes /claude-deep-review, checks out the repo, and runs the Claude Code action with the code-review plugin targeting the current PR.
Interactive @claude mention workflow
.github/workflows/claude.yml
Triggers on issue comments, PR review comments, and issue open/assign events when the body or title contains @claude; configures permissions for repository and CI access and runs the Claude Code action via CLAUDE_CODE_OAUTH_TOKEN.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related issues

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: adding GitHub Actions workflows for Claude Code integration.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch add-claude-github-actions-1782717923448

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 29, 2026

Copy link
Copy Markdown

Deploying shakastack-com with  Cloudflare Pages  Cloudflare Pages

Latest commit: 7bc2568
Status: ✅  Deploy successful!
Preview URL: https://3aa133ac.shakastack-com.pages.dev
Branch Preview URL: https://add-claude-github-actions-17.shakastack-com.pages.dev

View logs

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 7

🧹 Nitpick comments (1)
.github/workflows/claude-deep-review.yml (1)

18-21: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Disable checkout credential persistence.

actions/checkout will otherwise leave the workflow token in the local git config for the downstream Claude action/plugin chain to access. This job does not need authenticated git writes after checkout.

Suggested fix
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
           fetch-depth: 1
+          persist-credentials: false
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/claude-deep-review.yml around lines 18 - 21, The Checkout
repository step currently leaves the workflow token persisted in git config,
which is unnecessary for this job. Update the actions/checkout configuration in
the claude-deep-review workflow to disable credential persistence so downstream
Claude actions cannot reuse the token. Keep the existing checkout behavior
otherwise, and make the change in the Checkout repository step using the
checkout action’s credential-persistence setting.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/claude-code-review.yml:
- Around line 17-20: The Checkout repository step uses actions/checkout with
default credential persistence, which leaves the workflow token in .git/config
and available to later steps. Update the checkout configuration in the workflow
to disable credential persistence by setting persist-credentials to false in the
actions/checkout setup so the token is not written into the workspace.

In @.github/workflows/claude-deep-review.yml:
- Around line 11-15: The `permissions` block for the Claude deep review job is
too restrictive, so the workflow cannot post PR feedback. Update the permissions
in `claude-deep-review.yml` to grant the same comment/write scopes used by the
other Claude review workflow, especially for `pull-requests` and any needed
issue/comment access, while keeping `contents: read` and `id-token: write` as
appropriate.
- Around line 23-30: The Claude deep review workflow is missing the same
post-action execution-file guard used in the other Claude review workflow, so
the job can pass even when no review is actually posted. Update the `Run Claude
Code deep review` job to mirror the `execution_file` check from
`.github/workflows/claude-code-review.yml` after
`anthropics/claude-code-action@v1` runs, and fail the job when the file is
absent so an invalid or expired `CLAUDE_CODE_OAUTH_TOKEN` does not silently
succeed.

In @.github/workflows/claude.yml:
- Around line 25-28: The Checkout repository step is leaving the GitHub token
persisted by default, but this workflow only needs read-only source access.
Update the actions/checkout usage in the workflow to disable credential
persistence so the token is not written into the workspace before the Claude
action runs, while keeping the existing checkout behavior otherwise unchanged.
- Around line 8-16: The GitHub Actions trigger in claude.yml is too broad
because the issues event currently includes assigned, which causes the claude
job to rerun on unrelated assignee changes whenever the issue already contains
`@claude`. Update the issues trigger in the workflow so it only runs for the
intended issue creation flow, and keep the existing claude job condition logic
unchanged unless you need to support a specific assignee-based path. Use the
workflow job named claude and the issues.types configuration to locate the fix.
- Around line 13-16: The workflow trigger in the GitHub Actions condition
currently lets any `@claude` mention start the job, even though it passes
`CLAUDE_CODE_OAUTH_TOKEN`. Update the `if` expression in
`.github/workflows/claude.yml` to gate `issue_comment`,
`pull_request_review_comment`, and `issues` events to trusted authors only,
using the existing event payload fields for author association or write-access
status. Keep the `@claude` text check, but combine it with an author trust check
so only write-access users can invoke Claude.
- Around line 30-34: The Claude action step in claude.yml currently reports
success even when no valid Claude output is produced. Update the workflow to
mirror the result verification used in claude-code-review.yml by checking the
generated execution file and its is_error status after the Run Claude Code step,
and fail the job if the token is invalid/expired or if Claude did not produce a
successful result.

---

Nitpick comments:
In @.github/workflows/claude-deep-review.yml:
- Around line 18-21: The Checkout repository step currently leaves the workflow
token persisted in git config, which is unnecessary for this job. Update the
actions/checkout configuration in the claude-deep-review workflow to disable
credential persistence so downstream Claude actions cannot reuse the token. Keep
the existing checkout behavior otherwise, and make the change in the Checkout
repository step using the checkout action’s credential-persistence setting.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 57f58621-1128-493f-b8ab-84f908c03390

📥 Commits

Reviewing files that changed from the base of the PR and between 7aa9e8f and f3f7af4.

📒 Files selected for processing (3)
  • .github/workflows/claude-code-review.yml
  • .github/workflows/claude-deep-review.yml
  • .github/workflows/claude.yml

Comment on lines +17 to +20
- name: Checkout repository
uses: actions/checkout@v6
with:
fetch-depth: 1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Disable credential persistence during checkout.

Line 17 leaves actions/checkout at its default, which writes the workflow token into .git/config. Because the next step runs a third-party action and exposes Bash tooling, that token becomes readable from the workspace with this job’s write scopes. Set persist-credentials: false here.

Suggested fix
       - name: Checkout repository
         uses: actions/checkout@v6
         with:
           fetch-depth: 1
+          persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Checkout repository
uses: actions/checkout@v6
with:
fetch-depth: 1
- name: Checkout repository
uses: actions/checkout@v6
with:
fetch-depth: 1
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 17-20: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/claude-code-review.yml around lines 17 - 20, The Checkout
repository step uses actions/checkout with default credential persistence, which
leaves the workflow token in .git/config and available to later steps. Update
the checkout configuration in the workflow to disable credential persistence by
setting persist-credentials to false in the actions/checkout setup so the token
is not written into the workspace.

Source: Linters/SAST tools

Comment on lines +11 to +15
permissions:
contents: read
pull-requests: read
issues: read
id-token: write

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Grant comment write scopes to this job.

Line 13 and Line 14 only allow reads, so the deep-review run cannot post PR feedback even though that is the workflow’s purpose. The repo’s other Claude review workflow already uses write scopes for the same action.

Suggested fix
     permissions:
       contents: read
-      pull-requests: read
-      issues: read
+      pull-requests: write
+      issues: write
       id-token: write
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
contents: read
pull-requests: read
issues: read
id-token: write
permissions:
contents: read
pull-requests: write
issues: write
id-token: write
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/claude-deep-review.yml around lines 11 - 15, The
`permissions` block for the Claude deep review job is too restrictive, so the
workflow cannot post PR feedback. Update the permissions in
`claude-deep-review.yml` to grant the same comment/write scopes used by the
other Claude review workflow, especially for `pull-requests` and any needed
issue/comment access, while keeping `contents: read` and `id-token: write` as
appropriate.

Comment on lines +23 to +30
- name: Run Claude Code deep review
id: claude-deep-review
uses: anthropics/claude-code-action@v1
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
plugin_marketplaces: "https://github.com/anthropics/claude-code.git"
plugins: "code-review@claude-code-plugins"
prompt: "/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf 'Files of interest:\n'
git ls-files '.github/workflows/*claude*.yml' '.github/workflows/*claude*.yaml'

printf '\nOutline of .github/workflows/claude-deep-review.yml:\n'
ast-grep outline .github/workflows/claude-deep-review.yml --view expanded || true

printf '\nOutline of .github/workflows/claude-code-review.yml:\n'
ast-grep outline .github/workflows/claude-code-review.yml --view expanded || true

printf '\nRelevant lines from claude-deep-review.yml:\n'
sed -n '1,120p' .github/workflows/claude-deep-review.yml

printf '\nRelevant lines from claude-code-review.yml:\n'
sed -n '1,180p' .github/workflows/claude-code-review.yml

Repository: shakacode/shakastack-com

Length of output: 5663


🌐 Web query:

anthropics/claude-code-action v1 execution_file output exit success review failed silent no-op

💡 Result:

The anthropics/claude-code-action v1 is a GitHub Action designed to integrate Claude Code into CI/CD workflows for tasks such as automated PR reviews, code changes, and issue management [1][2]. Regarding the specific execution and output mechanics: Execution File and Output: The action generates a JSON file containing the execution log of the Claude Code session [3][4]. This path is exposed as a GitHub Action output named execution_file [3][5]. Users can access this path within subsequent steps of their workflow using ${{ steps..outputs.execution_file }} [5]. The action also provides an output named conclusion, which indicates whether the execution was a success or failure [3][4]. Success and Failure States: The conclusion output is explicitly set to 'success' if the Claude Code session completes successfully, and 'failure' otherwise [3][6][4]. If an error occurs during execution, the action catches the exception, may attempt to set the execution_file output if available, and calls core.setFailed to mark the step as failed in the GitHub Actions runner [3]. Silent/No-op Behavior: The action differentiates between modes based on the presence of a prompt input [7]. When a prompt is provided (Automation Mode), the action executes immediately [7]. Without a prompt (Interactive Mode), it waits for @claude mentions in PRs or issues [7]. Regarding silent operation or "no-ops," while there is no specific silent flag, the action is designed to be configurable; for instance, users can control comment behavior or disable specific features like inline comment classification using inputs such as classify_inline_comments: 'false' [8]. If the action triggers but finds no work to do or is misconfigured, it may complete without performing changes, but it will generally still produce an execution result [7][3]. For detailed usage, developers typically access the execution file to generate job summaries or custom reports by cat-ing the file content into $GITHUB_STEP_SUMMARY [3][5].

Citations:


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf 'Search for execution_file and claude-code-action references:\n'
rg -n --hidden --glob '!**/.git/**' 'execution_file|claude-code-action@v1|claude_code_oauth_token|code-review@claude-code-plugins' .

printf '\nWorkflow files mentioning verification:\n'
rg -n --hidden --glob '.github/workflows/*' 'execution_file|jq -s|claude-deep-review|claude-code-review|is_error' .github/workflows

Repository: shakacode/shakastack-com

Length of output: 2702


Add the same execution-file guard here
This workflow can still go green if anthropics/claude-code-action@v1 returns without posting a review, because it skips the execution_file check already used in .github/workflows/claude-code-review.yml. Mirror that step so an invalid or expired CLAUDE_CODE_OAUTH_TOKEN fails the job instead of silently doing nothing.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/claude-deep-review.yml around lines 23 - 30, The Claude
deep review workflow is missing the same post-action execution-file guard used
in the other Claude review workflow, so the job can pass even when no review is
actually posted. Update the `Run Claude Code deep review` job to mirror the
`execution_file` check from `.github/workflows/claude-code-review.yml` after
`anthropics/claude-code-action@v1` runs, and fail the job when the file is
absent so an invalid or expired `CLAUDE_CODE_OAUTH_TOKEN` does not silently
succeed.

Comment on lines +8 to +16
issues:
types: [opened, assigned]

jobs:
claude:
if: |
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

Avoid retriggering Claude on unrelated issue assignments.

With issues: [opened, assigned], any later assignment of an issue whose title/body already contains @claude reruns Claude. Remove assigned unless there is a specific assignee-based flow.

Proposed fix
   issues:
-    types: [opened, assigned]
+    types: [opened]
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
issues:
types: [opened, assigned]
jobs:
claude:
if: |
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
issues:
types: [opened]
jobs:
claude:
if: |
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '`@claude`')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '`@claude`')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '`@claude`') || contains(github.event.issue.title, '`@claude`')))
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/claude.yml around lines 8 - 16, The GitHub Actions trigger
in claude.yml is too broad because the issues event currently includes assigned,
which causes the claude job to rerun on unrelated assignee changes whenever the
issue already contains `@claude`. Update the issues trigger in the workflow so it
only runs for the intended issue creation flow, and keep the existing claude job
condition logic unchanged unless you need to support a specific assignee-based
path. Use the workflow job named claude and the issues.types configuration to
locate the fix.

Comment on lines +13 to +16
if: |
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Gate @claude triggers to trusted authors.

The PR objective says write-access users should trigger Claude, but this condition accepts any issue/PR comment containing @claude while passing CLAUDE_CODE_OAUTH_TOKEN to the action.

Proposed minimum gate
     if: |
-      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '`@claude`')) ||
-      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '`@claude`')) ||
-      (github.event_name == 'issues' && (contains(github.event.issue.body, '`@claude`') || contains(github.event.issue.title, '`@claude`')))
+      (github.event_name == 'issue_comment' &&
+        contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) &&
+        contains(github.event.comment.body, '`@claude`')) ||
+      (github.event_name == 'pull_request_review_comment' &&
+        contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) &&
+        contains(github.event.comment.body, '`@claude`')) ||
+      (github.event_name == 'issues' &&
+        contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association) &&
+        (contains(github.event.issue.body, '`@claude`') || contains(github.event.issue.title, '`@claude`')))
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if: |
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
if: |
(github.event_name == 'issue_comment' &&
contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) &&
contains(github.event.comment.body, '`@claude`')) ||
(github.event_name == 'pull_request_review_comment' &&
contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) &&
contains(github.event.comment.body, '`@claude`')) ||
(github.event_name == 'issues' &&
contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association) &&
(contains(github.event.issue.body, '`@claude`') || contains(github.event.issue.title, '`@claude`')))
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/claude.yml around lines 13 - 16, The workflow trigger in
the GitHub Actions condition currently lets any `@claude` mention start the job,
even though it passes `CLAUDE_CODE_OAUTH_TOKEN`. Update the `if` expression in
`.github/workflows/claude.yml` to gate `issue_comment`,
`pull_request_review_comment`, and `issues` events to trusted authors only,
using the existing event payload fields for author association or write-access
status. Keep the `@claude` text check, but combine it with an author trust check
so only write-access users can invoke Claude.

Comment on lines +25 to +28
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Disable checkout credential persistence.

actions/checkout persists the GitHub token by default, leaving it in the workspace before the Claude action runs. This workflow only needs a read checkout.

Proposed fix
         with:
           fetch-depth: 1
+          persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 25-28: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/claude.yml around lines 25 - 28, The Checkout repository
step is leaving the GitHub token persisted by default, but this workflow only
needs read-only source access. Update the actions/checkout usage in the workflow
to disable credential persistence so the token is not written into the workspace
before the Claude action runs, while keeping the existing checkout behavior
otherwise unchanged.

Source: Linters/SAST tools

Comment on lines +30 to +34
- name: Run Claude Code
id: claude
uses: anthropics/claude-code-action@v1
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify Claude workflows consistently check the action execution_file result.
rg -n -C3 'execution_file|is_error|claude-code-action@v1' .github/workflows

Repository: shakacode/shakastack-com

Length of output: 4223


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== claude.yml ==\n'
cat -n .github/workflows/claude.yml

printf '\n== claude-deep-review.yml ==\n'
cat -n .github/workflows/claude-deep-review.yml

printf '\n== claude-code-review.yml (relevant section) ==\n'
sed -n '20,95p' .github/workflows/claude-code-review.yml

Repository: shakacode/shakastack-com

Length of output: 7231


Add Claude result verification to this workflow .github/workflows/claude.yml:30-34 — mirror the execution_file/is_error check from .github/workflows/claude-code-review.yml so an invalid or expired token doesn’t leave the job green with no Claude output.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/claude.yml around lines 30 - 34, The Claude action step in
claude.yml currently reports success even when no valid Claude output is
produced. Update the workflow to mirror the result verification used in
claude-code-review.yml by checking the generated execution file and its is_error
status after the Run Claude Code step, and fail the job if the token is
invalid/expired or if Claude did not produce a successful result.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

♻️ Duplicate comments (2)
.github/workflows/claude-deep-review.yml (2)

23-30: 🩺 Stability & Availability | 🟠 Major | 🏗️ Heavy lift

Missing execution-file guard against silent-success on invalid token.

This step lacks the execution_file-based verification step present in claude-code-review.yml, so an invalid/expired CLAUDE_CODE_OAUTH_TOKEN can make the job pass without ever posting a review. Previously flagged and still unresolved.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/claude-deep-review.yml around lines 23 - 30, The Claude
deep review workflow step can silently succeed with an invalid or expired OAuth
token because it does not verify that the review actually ran. Update the
claude-deep-review job in the workflow to include the same execution_file-based
guard used in claude-code-review.yml, tying the check to the claude-code-action
step so the job fails if no review output is produced. Use the existing step id
claude-deep-review and the claude_code_oauth_token configuration as the anchor
points when adding the verification.

11-15: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Grant comment write scopes to this job.

Job only has read permissions, so the deep-review action cannot post PR feedback despite that being the workflow's purpose. This was previously flagged and remains unaddressed.

Suggested fix
     permissions:
       contents: read
-      pull-requests: read
-      issues: read
+      pull-requests: write
+      issues: write
       id-token: write
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/claude-deep-review.yml around lines 11 - 15, The workflow
job’s permissions are read-only, so the deep-review action cannot leave PR
feedback. Update the permissions block for the claude-deep-review job to grant
comment-writing access, using the existing permissions section in the workflow
so the action can post review comments and feedback.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.github/workflows/claude-deep-review.yml:
- Around line 23-30: The Claude deep review workflow step can silently succeed
with an invalid or expired OAuth token because it does not verify that the
review actually ran. Update the claude-deep-review job in the workflow to
include the same execution_file-based guard used in claude-code-review.yml,
tying the check to the claude-code-action step so the job fails if no review
output is produced. Use the existing step id claude-deep-review and the
claude_code_oauth_token configuration as the anchor points when adding the
verification.
- Around line 11-15: The workflow job’s permissions are read-only, so the
deep-review action cannot leave PR feedback. Update the permissions block for
the claude-deep-review job to grant comment-writing access, using the existing
permissions section in the workflow so the action can post review comments and
feedback.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c8cee271-4dc0-483e-aa8e-6625020660a6

📥 Commits

Reviewing files that changed from the base of the PR and between f3f7af4 and 7bc2568.

📒 Files selected for processing (1)
  • .github/workflows/claude-deep-review.yml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant