Add Claude Code GitHub Workflow

[NathanFlurry]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
rivet-site	Building	Preview	Comment	Oct 18, 2025 6:59am

2 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
rivet-cloud	Ignored			Oct 18, 2025 6:59am
rivet-inspector	Ignored			Oct 18, 2025 6:59am

💡 Enable Vercel Agent with $100 free credit for automated AI reviews

[graphite-app]

How to use the Graphite Merge Queue

Add the label merge-queue to this PR to add it to the merge queue.

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

[claude]

Code Review: Claude Code GitHub Workflow

Thanks for setting up the Claude Code integration! This is a solid implementation that will enable AI-assisted development. Here's my review:

✅ Strengths

1. Updated to stable version: Moving from @beta to @v1 is the right choice for production use
2. Simplified configuration: Removed unnecessary anthropic_api_key in favor of OAuth token
3. Good security model: Properly scoped permissions and tool restrictions
4. Automatic PR reviews: The code review workflow will provide helpful feedback on all PRs
5. Repository-specific guidance: References CLAUDE.md for project-specific conventions

🔍 Code Quality & Best Practices

Workflow Structure (.github/workflows/claude-code-review.yml:39-52)

• The prompt is well-structured with clear review criteria
• Good use of GitHub context variables (${{ github.repository }}, ${{ github.event.pull_request.number }})
• Appropriate tool restrictions via claude_args limiting to read-only gh commands

Permissions (.github/workflows/claude.yml:26)

• Added actions: read permission which enables Claude to check CI results - this is valuable for context
• Permissions follow principle of least privilege

🐛 Potential Issues

1. Missing write permissions for code review workflow (.github/workflows/claude-code-review.yml:22-26)

   • The workflow has pull-requests: read but Claude needs pull-requests: write to post comments
   • The gh pr comment command in the prompt won't work without write access
   • Fix: Add pull-requests: write to permissions

2. Inconsistent permissions between workflows

   • claude.yml has actions: read but claude-code-review.yml doesn't
   • Recommendation: Add actions: read to the code review workflow as well for consistency

3. Fetch depth (.github/workflows/claude-code-review.yml:32)

   • fetch-depth: 1 may limit Claude's ability to understand context across commits
   • For PR reviews, a deeper history might be beneficial
   • Consideration: Use fetch-depth: 0 or a larger number for full PR context

🔒 Security Considerations

1. Tool restrictions are appropriate: The claude_args in the review workflow restricts to read-only gh operations plus gh pr comment, which is secure
2. Secret handling: Uses GitHub Actions secrets properly
3. Trigger conditions: The main workflow has good filtering to only run when @claude is mentioned
4. No dangerous operations: Neither workflow allows file system writes or arbitrary bash commands

Recommendation: Consider documenting which users can trigger these workflows (currently anyone who can comment)

⚡ Performance Considerations

1. Runs on every PR: The code review workflow triggers on [opened, synchronize]

   • This could consume API credits quickly in active repos
   • Consider: Add filters to skip WIP/draft PRs or add a label-based trigger:

   if: |
     !contains(github.event.pull_request.title, '[skip-review]') &&
     github.event.pull_request.draft == false

2. Shallow clone is good: fetch-depth: 1 helps with checkout performance

🧪 Test Coverage

Missing: No tests for the workflow itself, but GitHub Actions workflows are typically tested in practice. Consider:

• Testing with a draft PR first after merge
• Documenting expected behavior in the PR description for future reference

📝 Additional Recommendations

1. Add CODEOWNERS consideration: If you have a CODEOWNERS file, ensure the workflow has appropriate permissions
2. Rate limiting: Monitor usage to avoid API rate limits on busy repos
3. Documentation: Add a note to CLAUDE.md about the automated review workflow
4. Workflow visibility: Consider adding a badge to README showing Claude Code is enabled

Required Changes

# .github/workflows/claude-code-review.yml
permissions:
  contents: read
  pull-requests: write  # Changed from 'read' - required for gh pr comment
  issues: read
  id-token: write
  actions: read  # Added for CI result context

Suggested Improvements

# .github/workflows/claude-code-review.yml
on:
  pull_request:
    types: [opened, synchronize]

jobs:
  claude-review:
    # Skip draft PRs and those marked to skip review
    if: |
      github.event.pull_request.draft == false &&
      !contains(github.event.pull_request.title, '[skip-review]')

Summary

This is a well-implemented integration that will be valuable for the team. The main blocker is the missing write permission for pull requests. Once that's fixed, this should work smoothly.

Verdict: Approve with required fix for permissions ✅

Action Items:

1. ✅ Add pull-requests: write permission to claude-code-review.yml
2. ✅ Add actions: read permission to claude-code-review.yml
3. 📋 Consider adding draft PR filter to reduce unnecessary runs
4. 📋 Document the feature in project documentation

Let me know if you'd like me to push these changes!