Add Claude Code GitHub Workflow

[aidencullo]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

[claude]

Review Summary: This PR adds Claude Code GitHub Actions workflows. The implementation is solid with good security practices. Key recommendations: 1) Update path filters from TypeScript to Haskell file extensions (*.hs, *.lhs, *.cabal). 2) Create missing CLAUDE.md referenced in the prompt. 3) Consider adding actions:read permission to review workflow for CI result access. 4) Document dual-workflow behavior. The workflows are well-structured, secure, and ready to merge. See full detailed review below.

[claude]

✅ Strengths

1. Security Configuration: Follows GitHub Actions best practices with least privilege permissions, proper secret handling, and explicit permission scoping.

2. Well-Structured Workflows: Clear organization with descriptive names, helpful comments, and sensible defaults with customization options.

3. Proper Triggers: Event triggers correctly configured for both automatic PR reviews and on-demand @claude mentions.

4. Version Pinning: Uses actions/checkout@v4 with proper version pinning.

[claude]

🔍 Key Recommendations

1. Path Filters for Haskell (.github/workflows/claude-code-review.yml:7-11)
The commented path filters reference TypeScript/JavaScript files but this is a Haskell repo. Update to:

# paths:
#   - "**/*.hs"
#   - "**/*.lhs"  
#   - "**/*.cabal"
#   - "stack.yaml"

2. Permissions Consistency
claude.yml has actions:read but claude-code-review.yml does not. If Claude needs to read CI results for PR reviews, add actions:read to the review workflow too.

3. Workflow Overlap
Both workflows may run on the same PR (automatic review + @claude mentions). Consider adding conditional checks to prevent duplicates or document this behavior.

[claude]

🔍 Additional Observations

4. Missing Write Permissions Check
PR description mentions write access requirement, but workflows do not enforce it. Consider adding:

if: ${{ github.event.pull_request.author_association == 'OWNER' ||
       github.event.pull_request.author_association == 'MEMBER' ||
       github.event.pull_request.author_association == 'COLLABORATOR' }}

5. Limited Tool Permissions (.github/workflows/claude-code-review.yml:56)
Review workflow restricts tools to gh commands only. Claude cannot run Haskell tools (ghc, stack, cabal) or tests. This is good for security, but if you want more capabilities, add them explicitly.

6. Missing CLAUDE.md
The prompt references CLAUDE.md (line 50) but the file does not exist. Consider creating it with Haskell conventions, style guide, and review priorities.

[claude]

🐛 Potential Issues

None critical - The workflows are correctly configured and should function as intended.

🚀 Performance Considerations

• fetch-depth: 1 is optimal for shallow clones
• Workflows only run when triggered (not on every push)
• Good use of conditional expressions to prevent unnecessary runs

🔒 Security Assessment

Overall: Good ✓

Strengths:

• No hardcoded secrets
• Minimal permissions granted
• Read-only access to most resources
• Token properly stored in GitHub secrets
• Limited tool access scope

Recommendations:

• Consider requiring approval for external contributors
• The commented author filters (lines 16-19) could be uncommented for additional security
• Monitor GitHub Actions logs regularly

[claude]

📝 Test Coverage

N/A - These are workflow configuration files. However, after merging consider:

• Testing the workflows by creating a test PR
• Verifying @claude mentions work as expected
• Ensuring auto-review provides useful feedback

✨ Summary

This is a solid implementation of Claude Code integration! The workflows are well-structured, secure, and ready to merge. Great work on the detailed PR description! 🎉

Action items:

1. Update path filters to match Haskell file extensions
2. Create CLAUDE.md file with project conventions
3. Consider adding actions:read to review workflow
4. Document dual-workflow behavior