ci: Add Claude Code GitHub Workflow

[edenreich]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

[claude]

Claude finished @edenreich's task —— View job

---

PR Review: Claude Code GitHub Workflows

Todo List:

• Read and analyze claude-code-review.yml
• Read and analyze claude.yml
• Review code quality and best practices
• Check for security concerns
• Check for performance considerations
• Provide comprehensive feedback

---

Review Summary

This PR adds two well-structured GitHub Actions workflows for Claude Code integration. Overall, the implementation follows GitHub Actions best practices with good security posture and clear configuration.

Code Quality & Best Practices ✅

Strengths:

• Clear separation of concerns: Two distinct workflows for different use cases (automated reviews vs. interactive Claude)
• Good documentation: Extensive inline comments explaining optional configurations
• Proper workflow naming: Clear, descriptive names for both workflows and jobs
• Modern Actions versions: Uses actions/checkout@v4 (latest stable)
• Beta action usage: Uses anthropics/claude-code-action@beta which is appropriate for new integrations

Suggestions:

• Consider pinning the Claude action to a specific commit hash for better reproducibility: anthropics/claude-code-action@beta → anthropics/claude-code-action@<commit-sha>
• The commented examples could be moved to documentation to reduce file size

Security Concerns ✅

Good security practices:

• Minimal permissions: Both workflows use principle of least privilege
• Proper secret handling: Uses ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} correctly
• Read-only defaults: Most permissions are read-only (contents: read, pull-requests: read, issues: read)
• Conditional execution: claude.yml only runs when @claude is mentioned, preventing unnecessary executions

Security considerations:

• The id-token: write permission is present but likely needed for OIDC authentication
• No write permissions to repository contents, which is good for security
• Workflows will only run for users with appropriate repository access

Performance Considerations ✅

Efficient design:

• Shallow clone: fetch-depth: 1 reduces checkout time and bandwidth
• Conditional execution: Smart filtering prevents unnecessary workflow runs
• Single job per workflow: Simple, focused execution without unnecessary parallelization

Potential optimizations:

• claude-code-review.yml runs on every PR (opened, synchronize) - consider adding path filters if only specific files need review
• Could add workflow concurrency controls to cancel previous runs on new pushes

Potential Issues & Suggestions

1. Missing allowed_tools for Go project (claude.yml:53):

   # Consider adding Go-specific tools based on CLAUDE.md:
   allowed_tools: "Bash(task generate),Bash(task lint),Bash(task build),Bash(task test)"

2. No custom_instructions (claude.yml:56-59):
   Based on the repository's CLAUDE.md, consider adding:

   custom_instructions: |
     Always run 'task generate' before committing to update generated types
     Run 'task lint' before committing for code quality checks
     This is a Go project using Cobra CLI framework
     Generated files have 'generated_' prefix - never modify manually

3. Path filtering opportunity (claude-code-review.yml:6-11):
   For a Go project, consider uncommenting and adapting:

   paths:
     - "**/*.go"
     - "go.mod"
     - "go.sum"
     - "Taskfile.yml"

Test Coverage

Current state: No automated tests for the workflows themselves, which is typical for GitHub Actions workflows.

Recommendations:

• After merging, test both workflows manually:
  1. Create a test PR to verify claude-code-review.yml
  2. Comment @claude on an issue/PR to verify claude.yml
• Consider adding workflow status badges to README

Conclusion

This is a solid implementation of Claude Code integration. The workflows are secure, well-documented, and follow GitHub Actions best practices. The main opportunities for improvement are adding Go-specific tools and custom instructions to better integrate with this project's development workflow.

Recommendation: ✅ Approve with suggestions - The workflows are ready for production use, with the suggestions above being optional enhancements.

---

[ig-semantic-release-bot]

🎉 This PR is included in version 0.5.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀