Add Claude Code GitHub Workflow#3
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
Adds GitHub Actions workflows to integrate the Claude Code GitHub App into the repo, enabling automated agent execution from mentions and automated PR reviews.
Changes:
- Add a workflow that runs Claude Code when
@claudeis mentioned in issues, issue comments, PR review comments, or PR reviews. - Add a workflow that runs an automated Claude-based code review on PR events.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
.github/workflows/claude.yml |
New “mention-driven” Claude workflow for issues/comments/reviews. |
.github/workflows/claude-code-review.yml |
New PR-triggered workflow to run the Claude code review plugin. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| on: | ||
| issue_comment: | ||
| types: [created] | ||
| pull_request_review_comment: | ||
| types: [created] | ||
| issues: | ||
| types: [opened, assigned] | ||
| pull_request_review: | ||
| types: [submitted] |
There was a problem hiding this comment.
Security: this workflow can be triggered by anyone who can open an issue or comment (including external users) by including @claude, but it passes the CLAUDE_CODE_OAUTH_TOKEN secret to the action. This creates a risk of secret exposure / unauthorized agent runs. Add an explicit authorization gate (e.g., check github.event.sender/author_association and/or query collaborator permission) and/or remove the issues trigger so only trusted actors can trigger it; this also aligns with the PR description claim that only write-access users can trigger.
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | ||
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) |
There was a problem hiding this comment.
The job-level if: only checks for the @claude substring and does not verify the commenter/issue author has write permissions. Please add a permissions/role check (or a separate pre-step that validates github.event.sender has at least write access) before running the action so untrusted users can't trigger it.
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | |
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) | |
| (github.event_name == 'issue_comment' && | |
| contains(github.event.comment.body, '@claude') && | |
| contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) || | |
| (github.event_name == 'pull_request_review_comment' && | |
| contains(github.event.comment.body, '@claude') && | |
| contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) || | |
| (github.event_name == 'pull_request_review' && | |
| contains(github.event.review.body, '@claude') && | |
| contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association)) || | |
| (github.event_name == 'issues' && | |
| (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) && | |
| contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association)) |
There was a problem hiding this comment.
Claude finished @GilbN's task in 27s —— View job
Fixing claude.yml permission check
- Gather context
- Understand the request
- Execute changes
Unfortunately, I'm unable to modify files in the .github/workflows/ directory — the GitHub App permissions do not allow workflow file modifications. You can find more information in the FAQ.
Here's the fix you need to apply manually to .github/workflows/claude.yml. Replace the if: block (lines 15–19) with:
if: |
(github.event_name == 'issue_comment' &&
contains(github.event.comment.body, '@claude') &&
contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
(github.event_name == 'pull_request_review_comment' &&
contains(github.event.comment.body, '@claude') &&
contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
(github.event_name == 'pull_request_review' &&
contains(github.event.review.body, '@claude') &&
contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association)) ||
(github.event_name == 'issues' &&
(contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) &&
contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association))This adds author_association checks so that only OWNER, MEMBER, or COLLABORATOR users can trigger Claude — preventing untrusted external users from running the agent.
| on: | ||
| pull_request: | ||
| types: [opened, synchronize, ready_for_review, reopened] | ||
| # Optional: Only run on specific file changes |
There was a problem hiding this comment.
This workflow will run on pull_request events for forked PRs too, but secrets (like CLAUDE_CODE_OAUTH_TOKEN) are not provided to forked workflows; the action is likely to fail and create noisy red checks. Consider gating the job/step (e.g., if: github.event.pull_request.head.repo.fork == false or checking that the token is present) so it only runs when it can authenticate.
🤖 Installing Claude Code GitHub App
This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.
What is Claude Code?
Claude Code is an AI coding agent that can help with:
How it works
Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.
Important Notes
Security
There's more information in the Claude Code action repo.
After merging this PR, let's try mentioning @claude in a comment on any PR to get started!