Add Claude Code GitHub Workflow

[NathanFlurry]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
rivetkit-next-js-max	Canceled			Oct 18, 2025 7:05am
rivetkit-serverless	Canceled			Oct 18, 2025 7:05am

💡 Enable Vercel Agent with $100 free credit for automated AI reviews

[graphite-app]

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

• merge queue - adds this PR to the back of the merge queue
• hotfix - for urgent hot fixes, skip the queue and merge this PR next

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

[claude]

Code Review - PR #1405: Add Claude Code GitHub Workflow

Overview

This PR updates the Claude Code GitHub Actions workflows from beta to v1, simplifying configuration and improving maintainability. The changes look good overall with some notable improvements.

---

✅ Positive Changes

1. Simplified Authentication

   • Removed anthropic_api_key in favor of claude_code_oauth_token only
   • Cleaner authentication flow with OAuth

2. Updated Action Version

   • Upgraded from @beta to @v1 (stable release)
   • Better stability and support

3. Improved Configuration Structure

   • Changed direct_prompt to prompt for consistency
   • Added claude_args for tool permissions (more explicit)
   • Removed extensive comments that were mostly examples

4. Better Permissions

   • Added actions: read permission in claude.yml for CI results access
   • Proper additional_permissions configuration

5. Code Review Workflow Enhancement

   • Cleaner, more focused automated review prompt
   • References CLAUDE.md for project conventions
   • Explicit instruction to use gh pr comment for posting reviews

---

🔍 Areas for Consideration

1. Trailing Whitespace (Minor)

Lines 20 and 27 in claude-code-review.yml have trailing whitespace changes. While this does not affect functionality, it is worth noting for cleanliness.

2. Security - Tool Permissions

The claude_args in claude-code-review.yml allows specific gh commands for read-only operations plus gh pr comment.

Good: This is properly scoped to read-only operations plus gh pr comment.

Consider: The PR body mentions "Only users with write access to the repository can trigger the workflow" - verify this is enforced by the conditional checks at the top of the workflow (currently commented out).

3. Removed Customization Examples

The beta version had extensive commented examples for custom model selection, different prompts for different authors, conditional review skipping, and running tests/linting.

Impact: Teams will need to reference external docs for customization. This is fine since the docs link is provided, but worth noting for discoverability.

4. Missing Trigger Conditions

Both workflows have commented-out conditions for triggering reviews.

Question: Should these be enabled to limit when automated reviews run? Currently, the code review runs on ALL opened PRs.

---

🔒 Security Assessment

✅ No major security concerns identified:

• OAuth token properly referenced from secrets
• Tool permissions appropriately scoped
• No exposure of sensitive data
• Read-only git operations in workflows

⚠️ Recommendation: Consider enabling the trigger conditions to limit automated review usage and API costs.

---

📊 Performance Considerations

• Automated reviews will run on every opened PR
• No caching mechanism visible (may be handled by action itself)
• Consider adding conditions to skip trivial PRs (docs-only, WIP, etc.)

---

🧪 Test Coverage

Not applicable - this is infrastructure configuration.

Suggestion: After merge, test by:

1. Opening a test PR to verify automated review works
2. Mentioning @claude in a comment to verify the main workflow

---

📝 Code Quality & Best Practices

✅ Follows best practices:

• Clear YAML structure
• Proper permissions declarations
• Good use of GitHub Actions conventions
• Appropriate use of secrets

Minor suggestion: Consider adding a comment explaining why the trigger conditions are commented out, or enable them with appropriate values.

---

🎯 Overall Assessment

Verdict: ✅ Approved - This is a solid upgrade to the stable v1 release.

Recommendation: Consider enabling trigger conditions to control when automated reviews run, especially if API usage or costs are a concern.

Nice work! The simplified configuration makes the workflows much easier to understand and maintain.