Add Claude Code GitHub Workflow

[hta218]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

Summary by CodeRabbit

• New Features
  • Introduced automated AI-powered code review for pull requests, providing feedback on code quality, best practices, and potential issues.
  • Enabled Claude AI code assistance, which can be triggered by specific comments or actions within GitHub issues and pull requests.

[coderabbitai]

Walkthrough

Two new GitHub Actions workflow configuration files are added: one for automated AI-powered code review on pull requests, and another for on-demand Claude AI code assistance triggered by specific phrases or interactions in issues and pull requests. Both workflows use the anthropics/claude-code-action@beta action and include optional, commented-out configurations.

Changes

File(s)	Change Summary
.github/workflows/claude-code-review.yml	Added workflow for automated AI code review on PR open/synchronize events using Claude.
.github/workflows/claude.yml	Added workflow for on-demand Claude AI code assistance, triggered by "@claude" in comments.

Sequence Diagram(s)

sequenceDiagram
    participant GitHub User
    participant GitHub Actions
    participant Claude Code Action

    GitHub User->>GitHub Actions: Open or update PR / comment "@claude"
    GitHub Actions->>Claude Code Action: Trigger workflow with repo context
    Claude Code Action->>GitHub Actions: Analyze code or respond to trigger
    GitHub Actions->>GitHub User: Post AI review or response as comment

Loading

Poem

In the warren of code, a new breeze blows,
With Claude on the watch as each pull request grows.
Whisper "@claude" and help hops near,
Bugs and best practices suddenly clear!
Now every review, with AI’s delight—
Is a rabbit’s leap toward code done right.
🐇✨

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch add-claude-github-actions-1752462297053

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai auto-generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[claude]

Claude finished @hta218's task —— View job

---

Claude Code Review

Reviewing this PR that adds Claude Code GitHub Actions workflows. Here's my analysis:

Review Checklist:

• Read and analyze .github/workflows/claude-code-review.yml
• Read and analyze .github/workflows/claude.yml
• Evaluate GitHub Actions best practices
• Check security configuration and permissions
• Assess workflow triggers and error handling
• Provide comprehensive feedback on code quality, bugs, performance, and security

---

📋 Review Summary

This PR adds two well-designed GitHub Actions workflows for Claude Code integration. Overall, the implementation follows best practices with good security considerations.

🟢 .github/workflows/claude-code-review.yml - Automated Reviews

Strengths:

• Clean YAML structure with comprehensive commenting
• Appropriate triggers (opened, synchronize) for PR lifecycle
• Performance optimized with fetch-depth: 1
• Comprehensive review prompt covering code quality, bugs, performance, security, and testing
• Extensive examples in comments for customization options

Considerations:

• Runs on all PRs by default - consider enabling commented filters for high-traffic scenarios
• No explicit timeout (uses GitHub's 6-hour default)

🟢 .github/workflows/claude.yml - Interactive Assistant

Strengths:

• Flexible trigger logic supporting multiple comment contexts
• Conditional execution only when @claude is mentioned
• Additional permissions for CI result access (actions: read)
• Good documentation with extensive configuration examples

Minor Suggestions:

• Consider adding timeout for long-running operations
• The additional_permissions might be redundant since actions: read is already in the permissions block

---

🔒 Security Analysis

✅ Excellent Security Practices:

• Minimal permissions: Both workflows use least-privilege principle
• Secret management: Proper use of secrets.CLAUDE_CODE_OAUTH_TOKEN
• No hardcoded credentials or sensitive data exposure
• Read-only access to repository contents by default

🔹 Additional Security Notes:

• The id-token: write permission is correctly included for OIDC authentication
• Workflows won't execute until PR is merged (as noted in description)
• Only users with repository write access can trigger the interactive workflow

---

⚡ Performance & Best Practices

✅ Optimizations:

• fetch-depth: 1 minimizes checkout time
• Uses latest stable action versions (actions/checkout@v4)
• Efficient conditional logic in triggers
• Beta version pinning for anthropics/claude-code-action@beta

💡 Suggestions:

# Consider adding timeouts for reliability
timeout-minutes: 30  # Adjust based on typical review duration

---

🧪 Configuration Recommendations

Based on the repository's TypeScript/React/Remix stack (from CLAUDE.md), consider enabling these options:

# In claude-code-review.yml, uncomment and customize:
paths:
  - "app/**/*.{ts,tsx}"
  - "app/**/*.{js,jsx}" 
  - "**.json"
  - "**.md"

# In claude.yml, consider adding project-specific tools:
allowed_tools: "Bash(npm run typecheck),Bash(npm run biome),Bash(npm run test)"

---

✅ Final Assessment

Code Quality: Excellent - clean, well-documented workflows
Security: Strong - follows GitHub Actions security best practices
Performance: Good - optimized for efficiency
Maintainability: Very good - extensive commenting and examples

Recommendation: ✅ Approve - This is a solid implementation ready for production use.

---

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

.github/workflows/claude.yml (1)

40-64: Clean up trailing spaces & superfluous blank line

YAMLlint flags trailing whitespace on several commented lines and an extra blank line at 65. While not breaking, it will keep CI green and diff noise low.

-# Optional: Specify model (defaults to Claude Sonnet 4, uncomment for Claude Opus 4)␠
+# Optional: Specify model (defaults to Claude Sonnet 4, uncomment for Claude Opus 4)

Apply similarly to lines 42, 48, 51, 54, 60 and delete the lone blank line at the end.

.github/workflows/claude-code-review.yml (1)

40-78: Whitespace tidy-up

Trailing spaces on lines 42, 51, 56, 64 etc., plus an extra blank line at 79, trip YAMLlint. Strip them to keep linting green.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 16aadaf and bfb74d4.

📒 Files selected for processing (2)

• .github/workflows/claude-code-review.yml (1 hunks)
• .github/workflows/claude.yml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/claude.yml

[error] 42-42: trailing spaces

(trailing-spaces)

---

[error] 45-45: trailing spaces

(trailing-spaces)

---

[error] 48-48: trailing spaces

(trailing-spaces)

---

[error] 51-51: trailing spaces

(trailing-spaces)

---

[error] 54-54: trailing spaces

(trailing-spaces)

---

[error] 60-60: trailing spaces

(trailing-spaces)

---

[warning] 64-64: too many blank lines (1 > 0)

(empty-lines)

.github/workflows/claude-code-review.yml

[error] 20-20: trailing spaces

(trailing-spaces)

---

[error] 27-27: trailing spaces

(trailing-spaces)

---

[error] 42-42: trailing spaces

(trailing-spaces)

---

[error] 51-51: trailing spaces

(trailing-spaces)

---

[error] 56-56: trailing spaces

(trailing-spaces)

---

[error] 64-64: trailing spaces

(trailing-spaces)

---

[error] 67-67: trailing spaces

(trailing-spaces)

---

[error] 70-70: trailing spaces

(trailing-spaces)

---

[error] 73-73: trailing spaces

(trailing-spaces)

---

[warning] 78-78: too many blank lines (1 > 0)

(empty-lines)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: claude-review

🔇 Additional comments (2)

.github/workflows/claude.yml (1)

21-27: Tighten permissions to the minimum needed
id-token: write grants OIDC token minting. Double-check the action really needs it; if not, drop it to reduce blast radius.

.github/workflows/claude-code-review.yml (1)

21-33: Consider full history for diff-based tools

fetch-depth: 1 is fine for most actions, but if the code-review step ever needs to diff beyond the last commit (e.g., force-push rewriting history) you may need full depth or at least the PR base. Verify the action’s requirements.

[coderabbitai]

🛠️ Refactor suggestion

Pin the external action to a commit SHA for supply-chain safety

Referencing anthropics/claude-code-action@beta means any future force-push to the beta branch alters historical builds. Pin to a specific commit:

-uses: anthropics/claude-code-action@beta
+uses: anthropics/claude-code-action@abc123def4567890abcdef1234567890abcdef12 # pin

Update regularly via Dependabot or Renovate.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Run Claude Code
	id: claude
	uses: anthropics/claude-code-action@beta
	with:
	claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
	- name: Run Claude Code
	id: claude
	- uses: anthropics/claude-code-action@beta
	+ uses: anthropics/claude-code-action@abc123def4567890abcdef1234567890abcdef12 # pin
	with:
	claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

🤖 Prompt for AI Agents

In .github/workflows/claude.yml around lines 33 to 38, the GitHub Action uses
the external action anthropics/claude-code-action@beta, which is a mutable
branch reference. To improve supply-chain security, replace the beta branch
reference with a specific commit SHA of the action. Find the latest stable
commit SHA for the action and update the uses field accordingly. Plan to update
this pinned SHA regularly using Dependabot or Renovate.

[coderabbitai]

🛠️ Refactor suggestion

Case-sensitive trigger may miss common variants
contains() is case-sensitive, so mentions like @Claude or @CLAUDE won’t fire the workflow. If you want the bot to react independent of casing, wrap toLower() round the checked strings.

-(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
+(github.event_name == 'issue_comment' && contains(toLower(github.event.comment.body), '@claude')) ||

Repeat for the other three clauses.

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In .github/workflows/claude.yml around lines 15 to 20, the contains() checks for
'@claude' are case-sensitive, so variants like '@Claude' or '@CLAUDE' won't
trigger the workflow. To fix this, wrap both the source strings and the search
string '@claude' in toLower() for all four conditions, ensuring the check is
case-insensitive and triggers on any casing variant.

[coderabbitai]

🛠️ Refactor suggestion

Pin the action to an immutable SHA

Same supply-chain concern as the other workflow—lock anthropics/claude-code-action to a commit hash.

-uses: anthropics/claude-code-action@beta
+uses: anthropics/claude-code-action@abc123def4567890abcdef1234567890abcdef12

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Run Claude Code Review
	id: claude-review
	uses: anthropics/claude-code-action@beta
	with:
	claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
	# Optional: Specify model (defaults to Claude Sonnet 4, uncomment for Claude Opus 4)
	- name: Run Claude Code Review
	id: claude-review
	uses: anthropics/claude-code-action@abc123def4567890abcdef1234567890abcdef12
	with:
	claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
	# Optional: Specify model (defaults to Claude Sonnet 4, uncomment for Claude Opus 4)

🤖 Prompt for AI Agents

In .github/workflows/claude-code-review.yml around lines 34 to 40, the GitHub
action 'anthropics/claude-code-action@beta' is referenced using a mutable tag.
To improve supply-chain security, replace the 'beta' tag with a specific
immutable commit SHA hash for the action. Find the latest stable commit SHA for
this action and update the 'uses' field accordingly to lock the action version.