Conversation
There was a problem hiding this comment.
Pull request overview
Adds GitHub Actions workflows to integrate the Anthropic Claude Code action into this repository, enabling automated Claude runs based on mentions and (optionally) automated PR reviews.
Changes:
- Introduces a workflow that triggers Claude Code runs when
@claudeappears in issue/PR comments, issue bodies/titles, or PR reviews. - Introduces a workflow that runs a Claude-based “code review” plugin automatically on PR lifecycle events.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
.github/workflows/claude.yml |
Adds an @claude-mention-triggered workflow invoking anthropics/claude-code-action@v1. |
.github/workflows/claude-code-review.yml |
Adds an automatic PR review workflow invoking the Claude Code Review plugin via anthropics/claude-code-action@v1. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Optional: Only run on specific file changes | ||
| # paths: | ||
| # - "src/**/*.ts" | ||
| # - "src/**/*.tsx" | ||
| # - "src/**/*.js" | ||
| # - "src/**/*.jsx" |
There was a problem hiding this comment.
This workflow runs on every PR open/synchronize/reopen event with no gating, which can create significant operational cost/noise if it invokes Claude on every push. Consider adding a filter (paths, author association, label, or a manual trigger) so the review only runs when intended.
| # Optional: Only run on specific file changes | |
| # paths: | |
| # - "src/**/*.ts" | |
| # - "src/**/*.tsx" | |
| # - "src/**/*.js" | |
| # - "src/**/*.jsx" | |
| # Only run on specific file changes to avoid unnecessary cost/noise | |
| paths: | |
| - "src/**/*.ts" | |
| - "src/**/*.tsx" | |
| - "src/**/*.js" | |
| - "src/**/*.jsx" |
| uses: anthropics/claude-code-action@v1 | ||
| with: | ||
| claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | ||
| plugin_marketplaces: 'https://github.com/anthropics/claude-code.git' |
There was a problem hiding this comment.
Because this runs on the pull_request event, it will also run for PRs from forks, but repository secrets (like CLAUDE_CODE_OAUTH_TOKEN) are not provided to forked PR workflows. Add a job-level if: guard to skip fork PRs (e.g., check the PR head repo matches github.repository) to avoid failing runs and wasted CI capacity.
| # github.event.pull_request.user.login == 'new-developer' || | ||
| # github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR' | ||
|
|
||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
This repository’s other workflows pin runners to ubuntu-24.04. Consider switching from ubuntu-latest to ubuntu-24.04 here as well to avoid unexpected behavior changes when GitHub updates the default runner image.
| runs-on: ubuntu-latest | |
| runs-on: ubuntu-24.04 |
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | ||
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) |
There was a problem hiding this comment.
The job can currently be triggered by anyone who can create an issue/comment containing "@claude" (including external users). This contradicts the PR description (“Only users with write access … can trigger”) and is a security risk because the workflow passes a secret (CLAUDE_CODE_OAUTH_TOKEN) to the action. Add an explicit authorization gate in the job if: (e.g., check github.event.comment.author_association / github.event.issue.author_association is OWNER/MEMBER/COLLABORATOR, or restrict to an allowlist of actors) before running the action.
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | |
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) | |
| (github.event_name == 'issue_comment' && | |
| contains(github.event.comment.body, '@claude') && | |
| (github.event.comment.author_association == 'OWNER' || | |
| github.event.comment.author_association == 'MEMBER' || | |
| github.event.comment.author_association == 'COLLABORATOR')) || | |
| (github.event_name == 'pull_request_review_comment' && | |
| contains(github.event.comment.body, '@claude') && | |
| (github.event.comment.author_association == 'OWNER' || | |
| github.event.comment.author_association == 'MEMBER' || | |
| github.event.comment.author_association == 'COLLABORATOR')) || | |
| (github.event_name == 'pull_request_review' && | |
| contains(github.event.review.body, '@claude') && | |
| (github.event.review.author_association == 'OWNER' || | |
| github.event.review.author_association == 'MEMBER' || | |
| github.event.review.author_association == 'COLLABORATOR')) || | |
| (github.event_name == 'issues' && | |
| (contains(github.event.issue.body, '@claude') || | |
| contains(github.event.issue.title, '@claude')) && | |
| (github.event.issue.author_association == 'OWNER' || | |
| github.event.issue.author_association == 'MEMBER' || | |
| github.event.issue.author_association == 'COLLABORATOR')) |
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | ||
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) | ||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
This repository’s other workflows consistently pin the runner to ubuntu-24.04 (e.g., .github/workflows/tests.yml, build.yml). Using ubuntu-latest can introduce breaking changes when GitHub updates the default image; consider pinning to ubuntu-24.04 here for stability and consistency.
| runs-on: ubuntu-latest | |
| runs-on: ubuntu-24.04 |
🤖 Installing Claude Code GitHub App
This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.
What is Claude Code?
Claude Code is an AI coding agent that can help with:
How it works
Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.
Important Notes
Security
There's more information in the Claude Code action repo.
After merging this PR, let's try mentioning @claude in a comment on any PR to get started!