Add Claude Code GitHub Workflow by boneskull · Pull Request #59 · boneskull/gh-stack

boneskull · 2026-04-07T23:51:15Z

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

Bug fixes and improvements
Documentation updates
Implementing new features
Code reviews and suggestions
Writing tests
And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

This workflow won't take effect until this PR is merged
@claude mentions won't work until after the merge is complete
The workflow runs automatically whenever Claude is mentioned in PR or issue comments
Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

Authentication uses CLAUDE_CODE_OAUTH_TOKEN, an OAuth token stored securely as a GitHub Actions secret
The workflow is restricted to users with OWNER, MEMBER, or COLLABORATOR author association (this is GitHub's classification of how a user relates to the repository, not a direct permission check)
Fork PRs are excluded from automated review since pull_request workflows don't receive repository secrets for forks
All Claude runs are stored in the GitHub Actions run history
Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

Copilot

Pull request overview

This PR adds GitHub Actions workflows to integrate Claude Code into the repository, enabling both on-demand runs (triggered by @claude mentions) and automated PR review runs.

Changes:

Add a workflow (claude.yml) that triggers Claude Code when @claude appears in issue/PR comment and review events.
Add a workflow (claude-code-review.yml) that runs an automated Claude-based code review on PR lifecycle events (open/sync/etc.).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 8 comments.

File	Description
`.github/workflows/claude.yml`	On-demand Claude Code workflow triggered by `@claude` detection across issue/PR comment/review events.
`.github/workflows/claude-code-review.yml`	Automated Claude Code review workflow triggered on PR events.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@claude

Adds a GitHub Actions workflow that triggers Claude Code when @claude is mentioned in PR or issue comments.

Adds a GitHub Actions workflow that triggers Claude Code to review PRs when requested via the review-requested event.

- Add author_association check to restrict Claude triggers to OWNER, MEMBER, and COLLABORATOR (prevents unauthorized access) - Change issues event from 'assigned' to 'edited' (assigned was noise) - Add concurrency groups to both workflows (prevents overlapping runs) - Pin claude-code-action to SHA for supply-chain safety - Make claude-code-review opt-in via 'claude-review' label

The claude-code-action needs write permissions to post review comments. Changed `pull-requests` and `issues` from `read` to `write`.

Fork PRs don't receive repository secrets in `pull_request` workflows, so the job would fail. Added guard to skip when PR head repo differs from the base repository.

Copilot

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot · 2026-04-08T01:12:29Z

+      (github.event_name == 'issues' &&
+        (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) &&
+        contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association))


For the issues trigger, the authorization gate checks github.event.issue.author_association, which is the issue author’s association. On issues: edited, the editor may be different from the author, so an authorized maintainer editing an external user’s issue to add @claude will not trigger this job. If supporting edited is intended, consider either removing edited from the trigger or switching to an explicit permission check based on the editing actor (github.actor) via the GitHub API.

claude · 2026-04-08T01:14:58Z

Claude finished @boneskull's task in 1m 22s —— View job

Code Review

Overall this is a well-structured pair of workflows with good iterative hardening based on the Copilot review. Here are my findings:

`.github/workflows/claude-code-review.yml`

[High] Auto-review now runs on every PR — label gate was removed

The last exchange in the review thread shows boneskull said "removing label gate," and the merged file confirms it: the if: condition only checks head.repo.full_name == github.repository. However, types: [opened, synchronize, ready_for_review, reopened, labeled] still includes labeled, which is now a dead event trigger (the label is never checked). Every internal PR will trigger an automated Claude review, which differs from what the PR description states ("opt-in via claude-review label"). This will generate significant Actions noise and API spend.

Either reintroduce the label gate or update the PR description and documentation to reflect that reviews are unconditional on all internal PRs. Fix this →

[Medium] Missing step-security/harden-runner

claude.yml uses harden-runner for egress auditing but claude-code-review.yml doesn't. For consistency and supply-chain visibility, add it as the first step here too. Fix this →

[Low] plugin_marketplaces git URL is not pinned

plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
plugins: 'code-review@claude-code-plugins'

This pulls from a mutable branch (claude-code-plugins) at runtime — the same class of supply-chain risk that prompted pinning claude-code-action to a SHA. Consider pinning to a specific commit SHA or tag if the action supports it.

[Low] Missing actions: read permission

claude.yml explicitly grants actions: read so Claude can read CI results. claude-code-review.yml lacks this, so if the review plugin tries to access workflow run data it will silently fail. Add actions: read to the permissions block. Fix this →

`.github/workflows/claude.yml`

[Medium] actions/checkout@v4 uses a mutable tag

Both workflows pin claude-code-action to a commit SHA but leave actions/checkout@v4 on a floating tag. For consistency with the supply-chain hardening already applied, pin checkout to a full SHA. Fix this →

[Low] Stale TODO comment in permissions

Line 33: contents: read # TODO unclear if needed — it is needed; actions/checkout requires it. The TODO should be removed. Fix this →

[Low] Redundant actions: read declaration

actions: read appears both in the job permissions block (line 37) and in additional_permissions passed to the action (lines 61–62). One is sufficient. Fix this →

[Info] issues: edited actor vs. author mismatch (acknowledged, not fully fixed)

The last Copilot comment about github.event.issue.author_association being the issue author's association (not the actor editing it) was closed with a PR description update rather than a code fix. This is a known limitation — documenting it in a comment in the workflow would help future maintainers understand why github.actor isn't used instead.

Summary

Severity	Count
High	1
Medium	2
Low	4
Info	1

The most actionable item is the missing label gate in claude-code-review.yml — the current merged state will auto-review all internal PRs regardless of labels.

Copilot AI review requested due to automatic review settings April 7, 2026 23:51

github-actions Bot assigned boneskull Apr 7, 2026

Copilot started reviewing on behalf of boneskull April 7, 2026 23:51 View session

boneskull force-pushed the add-claude-github-actions-1775605850030 branch from e785cca to 948406c Compare April 7, 2026 23:54

Copilot AI reviewed Apr 7, 2026

View reviewed changes

boneskull requested a review from Copilot April 8, 2026 00:01

Copilot started reviewing on behalf of boneskull April 8, 2026 00:02 View session

Copilot AI reviewed Apr 8, 2026

View reviewed changes

Comment thread .github/workflows/claude.yml Outdated

Comment thread .github/workflows/claude-code-review.yml Outdated

boneskull requested a review from Copilot April 8, 2026 00:38

Copilot started reviewing on behalf of boneskull April 8, 2026 00:39 View session

Copilot AI reviewed Apr 8, 2026

View reviewed changes

Comment thread .github/workflows/claude.yml

Comment thread .github/workflows/claude-code-review.yml Outdated

boneskull added 5 commits April 7, 2026 18:08

chore(ci): add Claude PR assistant workflow

9adc0f4

Adds a GitHub Actions workflow that triggers Claude Code when @claude is mentioned in PR or issue comments.

chore(ci): add Claude Code review workflow

f19e161

Adds a GitHub Actions workflow that triggers Claude Code to review PRs when requested via the review-requested event.

fix(ci): add write permissions for review workflow

1630b13

The claude-code-action needs write permissions to post review comments. Changed `pull-requests` and `issues` from `read` to `write`.

fix(ci): skip review workflow for fork PRs

99f5af6

Fork PRs don't receive repository secrets in `pull_request` workflows, so the job would fail. Added guard to skip when PR head repo differs from the base repository.

Copilot AI review requested due to automatic review settings April 8, 2026 01:08

boneskull force-pushed the add-claude-github-actions-1775605850030 branch from 86576da to 99f5af6 Compare April 8, 2026 01:08

Copilot started reviewing on behalf of boneskull April 8, 2026 01:09 View session

chore(ci): use harden runner

fae369d

Copilot AI reviewed Apr 8, 2026

View reviewed changes

chore(ci): remove label gating of review

0b5e1b3

boneskull merged commit ec8524a into main Apr 8, 2026
8 checks passed

boneskull deleted the add-claude-github-actions-1775605850030 branch April 8, 2026 01:14

Uh oh!

Conversation

boneskull commented Apr 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🤖 Installing Claude Code GitHub App

What is Claude Code?

How it works

Important Notes

Security

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

claude Bot commented Apr 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Code Review

.github/workflows/claude-code-review.yml

.github/workflows/claude.yml

Summary

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

boneskull commented Apr 7, 2026 •

edited

Loading

claude Bot commented Apr 8, 2026 •

edited

Loading

`.github/workflows/claude-code-review.yml`

`.github/workflows/claude.yml`