Add Claude Code GitHub Workflow

[ANcpLua]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

[github-actions]

@coderabbitai autofix

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: c36ece6b-0996-4e0f-b4b5-13870c88626e

📥 Commits

Reviewing files that changed from the base of the PR and between f579808 and 534c713.

📒 Files selected for processing (2)

• .github/workflows/claude-code-review.yml
• .github/workflows/claude.yml

Cache: Disabled due to Reviews > Disable Cache setting

Knowledge base: Disabled due to data retention organization setting

---

Behavior

This PR adds two GitHub Actions workflows enabling Claude Code integration:

1. claude.yml (~50 lines): Triggers on mentions of @claude in issue/PR comments, PR review comments, PR reviews, and new issues. Routes triggering events to Claude Code via anthropics/claude-code-action@v1 with full repository context.

2. claude-code-review.yml (~44 lines): Automatically runs on every PR open/synchronize/reopen/ready_for_review event, invoking the code-review@claude-code-plugins plugin to analyze code changes.

Both workflows use semantic versioning (actions/checkout@v4, anthropics/claude-code-action@v1) with minimal permissions: read-only on contents/PRs/issues, write-only on id-token and comments.

Risk Surface

• Automatic execution: Code review workflow triggers on all PR events without explicit opt-in; AI-generated comments visible to all watchers and counted against Claude API quota
• Token exposure: Workflow runs are permanently recorded in GitHub Actions history with Claude's comments publicly visible; requires secure management of CLAUDE_CODE_OAUTH_TOKEN secret across all forks and contributors with write access
• Dependency volatility: Reliance on external anthropics/claude-code-action@v1 and plugin marketplace (https://github.com/anthropics/claude-code.git); breaking changes in major versions or marketplace unavailability could disable workflows
• No rate limiting: Unbounded API usage from high-volume PR activity or malicious comment spam
• Permission scope: id-token: write enables OIDC token generation; potential for token misuse if action is compromised

Validation Evidence

• Uses semantic versioning rather than mutable branch references (@main)
• Permissions follow least-privilege model: read-only on repository state, write limited to comments/tokens
• Includes commented-out filter examples for author and path-based PR filtering
• Fetch depth of 1 minimizes data transfer
• Credentials stored in GitHub Actions secrets, not hardcoded

Generated Artifacts

• Persistent GitHub Actions run history for all triggered events (searchable, filterable by author and status)
• Claude-generated review comments on PRs (visible to all repo viewers)
• Potential file changes/commits if Claude Code modifies repository

Cross-Repo Implications

• Hard dependency on upstream action versioning; major version changes require explicit workflow updates to maintain functionality
• External marketplace dependency introduces availability risk for code-review plugin

Walkthrough

Both Claude-related GitHub Actions workflows are updated to reference action versions by major version tag rather than pinned commit SHAs. The allowed_bots setting is removed from the Claude code review step. Action configuration for tokens, plugins, and prompts remains unchanged.

Changes

GitHub Actions Workflow Version Upgrades

Layer / File(s)	Summary
Action version upgrades and configuration refinement .github/workflows/claude.yml, .github/workflows/claude-code-review.yml	Both workflows now use actions/checkout@v4 and anthropics/claude-code-action@v1 instead of pinned commit SHAs. The allowed_bots input is removed from the Claude code review step configuration while token, plugin, and prompt settings remain intact.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• ANcpLua/ErrorOrX#18: Introduces the .github/workflows/claude.yml and .github/workflows/claude-code-review.yml workflows that this PR updates.
• ANcpLua/ANcpLua.Analyzers#95: Also upgrades anthropics/claude-code-action to @v1 in claude-code-review.yml.
• ANcpLua/ANcpLua.NET.Sdk#96: Introduces claude-code-action@v1 with allowed_bots configuration while this PR removes that setting.

Suggested labels

area:build, area:ci, area:security

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch add-claude-github-actions-1779142967207

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch add-claude-github-actions-1779142967207

• 🛠️ architecture hardening
• 🛠️ security pass
• 🛠️ test gap closure
• 🛠️ docs and changelog alignment
• 🛠️ performance and allocation pass

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

Autofix skipped. No unresolved CodeRabbit review comments with fix instructions found.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes.}

[codacy-production]

Pull Request Overview

While the PR successfully updates various action versions and introduces the basic structure for the Claude Code workflow, it is currently incomplete for the stated goals. The implementation lacks the necessary permissions and repository history depth to function effectively as an AI coding agent.

Crucially, the workflow is missing the 'on:' trigger configuration entirely, meaning it will not activate on '@claude' mentions as intended. There is also a discrepancy between the PR description and the implementation regarding 'allowed_tools', which limits the agent's ability to perform build or test tasks. These functional gaps must be addressed before merging.

About this PR

• The workflow is missing the 'on:' trigger configuration. Without this, the system cannot verify or execute the logic intended to respond to '@claude' mentions in PR or issue comments.

2 comments outside of the diff

[REDACTED:HIGH_ENTROPY]

_{line 26 🔴 HIGH RISK}
Missing 'pull-requests: write' and 'contents: write' permissions. These are required for Claude to create comments, branches, and commits as described in the PR summary.

_{line 35 🟡 MEDIUM RISK}
The anthropics/claude-code-action requires git history to perform accurate PR analysis and provide contextual feedback. The current configuration using fetch-depth: 1 in the checkout step (line 31) only fetches the latest commit, which will likely cause the tool to fail or produce incomplete reviews.

Try running the following prompt in your coding agent:

Update the actions/checkout step to use fetch-depth: 0 to ensure the Claude Code action has access to the full repository history for analysis.

Test suggestions

• Verify the workflow trigger logic correctly identifies and responds to '@claude' strings in comments.
• Verify that 'pull-requests: write' and 'contents: write' permissions are granted to the workflow job.
• Ensure the CLAUDE_CODE_OAUTH_TOKEN is successfully injected into the action environment.

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify the workflow trigger logic correctly identifies and responds to '@claude' strings in comments.
2. Verify that 'pull-requests: write' and 'contents: write' permissions are granted to the workflow job.
3. Ensure the CLAUDE_CODE_OAUTH_TOKEN is successfully injected into the action environment.

Low confidence findings

• The 'allowed_tools' configuration is missing from the workflow. This will prevent Claude from running necessary build or test commands as described in the integration requirements.

_{TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback}