Add Claude Code GitHub Workflow

[jeastham1993]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

[claude]

Claude finished @jeastham1993's task —— View job

---

PR Review: Add Claude Code GitHub Workflow

I've completed my review of the Claude Code GitHub Actions workflows. Here's my comprehensive feedback:

Review Summary: ✅ APPROVED WITH SUGGESTIONS

This PR adds well-structured GitHub Actions workflows for Claude Code integration. The implementation follows best practices with minimal security concerns and will integrate well with the existing development workflow.

Code Quality & Best Practices ✅

Strengths:

• Clean, well-structured YAML with consistent formatting
• Excellent use of comments and examples for future customization
• Clear separation of concerns between automated reviews and interactive usage
• Appropriate use of conditional logic for triggering workflows
• Good documentation inline with comprehensive configuration options

Minor Suggestions:

• Consider adding timeout-minutes: 30 to both jobs to prevent runaway workflows
• The fetch-depth: 1 is good for performance and security

Security Analysis ✅

Secure Implementation:

• ✅ Proper use of secrets.ANTHROPIC_API_KEY for API key management
• ✅ Minimal permissions granted (contents: read, pull-requests: read, etc.)
• ✅ Uses official anthropics/claude-code-action@beta action
• ✅ No exposure of sensitive data in workflow files
• ✅ Appropriate permission scoping for different workflow needs

Security Best Practices:

• The id-token: write permission is correctly included for OIDC authentication
• Repository checkout is limited to minimal depth (fetch-depth: 1)
• Conditional execution prevents unauthorized triggering

Potential Issues & Considerations ⚠️

Minor Concerns:

1. Beta Action Version: Using @beta tag might introduce instability

   • Recommendation: Consider pinning to a specific version once stable releases are available
   • Impact: Low - beta versions are typically stable but may have breaking changes

2. Missing Timeout Protection: No explicit timeout specified

   • Recommendation: Add timeout-minutes: 30 to prevent long-running jobs
   • Impact: Low - prevents resource waste and hanging workflows

3. No Rate Limiting: No built-in protection against API rate limits

   • Note: This is likely handled by the Claude Code action itself

Performance Considerations ✅

Well Optimized:

• Fast checkout with fetch-depth: 1
• Efficient trigger conditions to avoid unnecessary runs
• Appropriate use of ubuntu-latest runner
• No unnecessary dependencies or setup steps

Integration with Existing Development Workflow ✅

Excellent Fit:

• Based on the repository's CLAUDE.md files, this project follows strict development practices including TDD, comprehensive testing, and specific tooling (Poetry, ruff, mypy, pytest)
• The workflows' allowed_tools parameter could be valuable for integrating with existing development commands like:

  allowed_tools: "Bash(make lint),Bash(make test),Bash(make format),Bash(make coverage-tests)"

• The automated code review workflow aligns well with the project's emphasis on code quality and testing

Test Coverage & Operational Concerns 📋

Current State:

• No tests for the workflows themselves (expected for GitHub Actions)
• Workflows will be tested in production when triggered
• Good inline documentation helps with maintenance

Recommendations:

• Monitor workflow execution after deployment
• Consider adding workflow status badges to README
• Document the Claude Code features for team members

Configuration Analysis 📝

claude-code-review.yml:

• Well-configured for automated PR reviews
• Good default prompt covering all essential review areas
• Flexible configuration options for different use cases
• Appropriate trigger events (PR opened/synchronized)

claude.yml:

• Comprehensive trigger coverage (issues, PR comments, reviews)
• Proper conditional logic for @claude mentions
• Additional permissions for reading CI results
• Good extensibility for custom commands

Final Recommendations 🎯

1. Before Merging:

   • Add timeout-minutes: 30 to both workflows
   • Consider enabling specific allowed_tools for development commands:

     allowed_tools: "Bash(make lint),Bash(make test),Bash(make format),Bash(make mypy-lint),Bash(make coverage-tests)"

2. After Merging:

   • Test both workflows with actual usage
   • Monitor API usage and costs
   • Train team on effective @claude usage patterns

3. Future Enhancements:

   • Consider custom instructions that reference the existing CLAUDE.md development guidelines
   • Add project-specific prompts that align with the TDD and testing requirements

Integration Opportunity 💡

Given this repository's strong emphasis on test-driven development and comprehensive testing (as evidenced by the CLAUDE.md files), consider adding custom instructions to align Claude's behavior with your development practices:

custom_instructions: |
  This project follows strict Test-Driven Development (TDD) practices. 
  When implementing features:
  - Always write failing tests first
  - Follow the Red-Green-Refactor cycle
  - Ensure 100% test coverage
  - Use existing development commands: make lint, make test, make format
  - Follow the detailed guidelines in CLAUDE.md files

Verdict: ✅ READY TO MERGE

This is a solid implementation that follows GitHub Actions best practices and will integrate well with your existing development workflow. The workflows are secure, well-documented, and ready for production use. The suggested improvements are minor and can be addressed in follow-up PRs.

---

[Copilot]

Pull Request Overview

This PR integrates the Claude Code GitHub App by adding two workflows: one to respond to @claude mentions and another for automated PR reviews via direct prompts.

• Introduce .github/workflows/claude.yml to trigger Claude on issue/PR comments and reviews containing @claude.
• Add .github/workflows/claude-code-review.yml to run automated code reviews on opened or updated PRs.

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/claude.yml	Defines events, permissions, and steps to invoke the Claude Code action on @claude.
.github/workflows/claude-code-review.yml	Configures an automated PR review job using a direct prompt with Claude Code action.

Comments suppressed due to low confidence (2)

.github/workflows/claude.yml:40

• The 'actions: read' permission is declared both at the job-level and under additional_permissions, causing duplication. Consider removing one to avoid confusion.

          additional_permissions: |

.github/workflows/claude-code-review.yml:26

• Add 'actions: read' under permissions so the code review workflow can access CI results, aligning with the direct_prompt’s focus on performance and test coverage.

      id-token: write

[Copilot]

The job triggers on any comment containing '@claude' regardless of author, which may let unintended users invoke Claude and incur API usage. Consider restricting execution to collaborators or specific permission levels.

Suggested change

	(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
	(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
	(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
	(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
	(
	(
	github.event_name == 'issue_comment' &&
	contains(github.event.comment.body, '@claude') &&
	(github.event.comment.user.type == 'User' && github.actor == github.event.comment.user.login)
	) ||
	(
	github.event_name == 'pull_request_review_comment' &&
	contains(github.event.comment.body, '@claude') &&
	(github.event.comment.user.type == 'User' && github.actor == github.event.comment.user.login)
	) ||
	(
	github.event_name == 'pull_request_review' &&
	contains(github.event.review.body, '@claude') &&
	(github.event.review.user.type == 'User' && github.actor == github.event.review.user.login)
	) ||
	(
	github.event_name == 'issues' &&
	(contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) &&
	(github.event.issue.user.type == 'User' && github.actor == github.event.issue.user.login)
	)
	)