Add Claude Code GitHub Workflow#41
Conversation
There was a problem hiding this comment.
Pull request overview
Adds GitHub Actions workflows to integrate the Anthropic Claude Code GitHub Action for (1) on-demand execution via @claude mentions and (2) automatic PR code review.
Changes:
- Introduces a
@claude-triggered workflow that runs on issue/PR comment and review events. - Adds an automated “Claude Code Review” workflow that runs on PR open/update events.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
.github/workflows/claude.yml |
New workflow to run Claude Code when @claude is detected in certain issue/PR events. |
.github/workflows/claude-code-review.yml |
New workflow to run an automated Claude-based code review on pull request events. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| on: | ||
| issue_comment: | ||
| types: [created] | ||
| pull_request_review_comment: | ||
| types: [created] | ||
| issues: | ||
| types: [opened, assigned] | ||
| pull_request_review: | ||
| types: [submitted] |
There was a problem hiding this comment.
The workflow is configured to trigger not only on PR/issue comments, but also on issues (opened/assigned) and pull_request_review (submitted). This differs from the PR description which says it runs “whenever Claude is mentioned in PR or issue comments.” Either update the PR description or adjust the workflow triggers to match the intended behavior.
| permissions: | ||
| contents: read | ||
| pull-requests: read | ||
| issues: read | ||
| id-token: write | ||
| actions: read # Required for Claude to read CI results on PRs |
There was a problem hiding this comment.
This job grants only read permissions (pull-requests: read, issues: read, contents: read). If the action is expected to create PR/issue comments, open branches, or push commits (as described in the PR description), it will need corresponding write permissions (or the description should be updated to clarify it runs read-only).
| pull_request_review_comment: | ||
| types: [created] | ||
| issues: | ||
| types: [opened, assigned] |
There was a problem hiding this comment.
Including issues: types: [opened, assigned] means any issue that contains @claude in the title/body will retrigger the workflow on every subsequent assignment event. If the intent is only to respond to new requests, consider removing assigned (or add additional filtering) to avoid repeated/expensive reruns.
| types: [opened, assigned] | |
| types: [opened] |
| pull_request: | ||
| types: [opened, synchronize, ready_for_review, reopened] | ||
| # Optional: Only run on specific file changes |
There was a problem hiding this comment.
This runs on the pull_request event but uses ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}. For PRs from forks, GitHub Actions does not provide repository secrets to pull_request workflows, so this job will fail or be skipped in that scenario. If that’s intended, add an explicit condition to run only for same-repo PRs; if you need it for forks, you’ll need a different triggering strategy (e.g., carefully using pull_request_target) and a security review.
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | ||
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) |
There was a problem hiding this comment.
The job-level if only checks for @claude in the comment/review/issue text, but it does not restrict who can trigger the workflow. This contradicts the PR description (“Only users with write access…”) and allows any commenter/issue opener to trigger runs (and consume the OAuth token). Add an authorization gate (e.g., check author_association/repo membership) in the if condition for each event type before running the action.
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | |
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) | |
| (github.event_name == 'issue_comment' && | |
| contains(github.event.comment.body, '@claude') && | |
| contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) || | |
| (github.event_name == 'pull_request_review_comment' && | |
| contains(github.event.comment.body, '@claude') && | |
| contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) || | |
| (github.event_name == 'pull_request_review' && | |
| contains(github.event.review.body, '@claude') && | |
| contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association)) || | |
| (github.event_name == 'issues' && | |
| (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) && | |
| contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association)) |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit f9068f5. Configure here.
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| pull-requests: read |
There was a problem hiding this comment.
Insufficient permissions prevent Claude from posting comments
High Severity
Both workflows set pull-requests: read and issues: read, but the claude-code-action requires pull-requests: write (and issues: write for the comment-triggered workflow) to post review comments and responses. The official examples from the anthropics/claude-code-action repository specify pull-requests: write. With read-only permissions, Claude will be unable to create any comments on PRs or issues, making both workflows non-functional.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit f9068f5. Configure here.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f9068f54dd
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | ||
| plugin_marketplaces: 'https://github.com/anthropics/claude-code.git' | ||
| plugins: 'code-review@claude-code-plugins' | ||
| prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}' |
There was a problem hiding this comment.
The code-review plugin command only posts PR feedback when the command is invoked with --comment; without that flag it stops after writing a terminal summary. This workflow calls /code-review:code-review ... without --comment, so the run can appear successful while producing no visible review comments on the pull request, which defeats the purpose of automatic PR review.
Useful? React with 👍 / 👎.
| pull_request: | ||
| types: [opened, synchronize, ready_for_review, reopened] |
There was a problem hiding this comment.
This workflow is triggered by pull_request events for all PRs, but it relies on ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} and OIDC token exchange. For fork-origin pull requests, GitHub does not expose repository secrets (and commonly withholds OIDC), so these runs fail early instead of reviewing code. Add an explicit fork guard or a pull_request_target-based safe pattern if you need external-contributor coverage.
Useful? React with 👍 / 👎.
🤖 Installing Claude Code GitHub App
This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.
What is Claude Code?
Claude Code is an AI coding agent that can help with:
How it works
Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.
Important Notes
Security
There's more information in the Claude Code action repo.
After merging this PR, let's try mentioning @claude in a comment on any PR to get started!
Note
Medium Risk
Adds new GitHub Actions that run a third-party action with repo/PR/issue read access and
id-token: write, so misconfiguration or secret exposure could impact the repository via automation triggers.Overview
Adds two new GitHub Actions workflows to integrate Claude Code.
claude.ymlrunsanthropics/claude-code-action@v1when an issue/PR comment or review contains@claude(withactions: readenabled).claude-code-review.ymlruns the same action automatically on PR open/update events using thecode-reviewplugin and a fixed/code-review:code-reviewprompt.Reviewed by Cursor Bugbot for commit f9068f5. Bugbot is set up for automated code reviews on this repo. Configure here.