Skip to content

Add claude GitHub actions 1752454958200 #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add claude GitHub actions 1752454958200 #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e829af7
Claude PR Assistant workflow
webdevtodayjason Jul 14, 2025
5f79baa
Claude Code Review workflow
webdevtodayjason Jul 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
78 changes: 78 additions & 0 deletions .github/workflows/claude-code-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
name: Claude Code Review

on:
pull_request:
types: [opened, synchronize]
# Optional: Only run on specific file changes
# paths:
# - "src/**/*.ts"
# - "src/**/*.tsx"
# - "src/**/*.js"
# - "src/**/*.jsx"

jobs:
claude-review:
# Optional: Filter by PR author
# if: |
# github.event.pull_request.user.login == 'external-contributor' ||
# github.event.pull_request.user.login == 'new-developer' ||
# github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'

runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
issues: read
id-token: write

Comment on lines +20 to +27
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Same permission concern – confirm id-token: write necessity

As with the other workflow, the action does not currently exchange an OIDC token.
Consider removing the line to follow the principle of least privilege.

-      id-token: write

🏁 Script executed:

#!/usr/bin/env bash
set -euo pipefail

# Display the Claude Code Review workflow to inspect steps and confirm OIDC/id-token usage
cat .github/workflows/claude-code-review.yml

Length of output: 3105

Remove unnecessary id-token: write permission

The anthropics/claude-code-action@beta step uses the CLAUDE_CODE_OAUTH_TOKEN secret for authentication and does not exchange an OIDC token. You can safely drop the id-token: write grant to adhere to the principle of least privilege.

• File: .github/workflows/claude-code-review.yml
Lines 20–27

     permissions:
       contents: read
       pull-requests: read
       issues: read
-      id-token: write
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
issues: read
id-token: write
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
issues: read
🧰 Tools
🪛 YAMLlint (1.37.1)

[error] 20-20: trailing spaces

(trailing-spaces)

[error] 27-27: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents 
In .github/workflows/claude-code-review.yml around lines 20 to 27, remove the
line granting `id-token: write` permission under the permissions section, as it
is unnecessary for the authentication method used and removing it follows the
principle of least privilege.

steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1

- name: Run Claude Code Review
id: claude-review
uses: anthropics/claude-code-action@beta
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

# Optional: Specify model (defaults to Claude Sonnet 4, uncomment for Claude Opus 4)
# model: "claude-opus-4-20250514"

# Direct prompt for automated review (no @claude mention needed)
direct_prompt: |
Please review this pull request and provide feedback on:
- Code quality and best practices
- Potential bugs or issues
- Performance considerations
- Security concerns
- Test coverage
Be constructive and helpful in your feedback.
# Optional: Use sticky comments to make Claude reuse the same comment on subsequent pushes to the same PR
# use_sticky_comment: true

# Optional: Customize review based on file types
# direct_prompt: |
# Review this PR focusing on:
# - For TypeScript files: Type safety and proper interface usage
# - For API endpoints: Security, input validation, and error handling
# - For React components: Performance, accessibility, and best practices
# - For tests: Coverage, edge cases, and test quality

# Optional: Different prompts for different authors
# direct_prompt: |
# ${{ github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR' &&
# 'Welcome! Please review this PR from a first-time contributor. Be encouraging and provide detailed explanations for any suggestions.' ||
# 'Please provide a thorough code review focusing on our coding standards and best practices.' }}

# Optional: Add specific tools for running tests or linting
# allowed_tools: "Bash(npm run test),Bash(npm run lint),Bash(npm run typecheck)"

# Optional: Skip review for certain conditions
# if: |
# !contains(github.event.pull_request.title, '[skip-review]') &&
# !contains(github.event.pull_request.title, '[WIP]')

64 changes: 64 additions & 0 deletions .github/workflows/claude.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
name: Claude Code

on:
issue_comment:
types: [created]
pull_request_review_comment:
types: [created]
issues:
types: [opened, assigned]
pull_request_review:
types: [submitted]

jobs:
claude:
if: |
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
runs-on: ubuntu-latest
Comment on lines +15 to +20
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Guard against empty review.body to avoid expression failures

pull_request_review events generated by the GitHub UI can have an empty review.body when the reviewer only submits an approval/request-changes without writing text.
contains(github.event.review.body, '@claude') will then evaluate against null and the expression engine raises a runtime error, aborting the job.

-      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
+      (github.event_name == 'pull_request_review' && contains(github.event.review.body || '', '@claude')) ||

Adding the || '' fallback keeps the expression robust.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if: |
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
runs-on: ubuntu-latest
if: |
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review' && contains(github.event.review.body || '', '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
runs-on: ubuntu-latest
🤖 Prompt for AI Agents 
In .github/workflows/claude.yml around lines 15 to 20, the condition checking
for '@claude' in pull_request_review events can fail if review.body is empty or
null. To fix this, modify the expression to use a fallback empty string by
replacing contains(github.event.review.body, '@claude') with
contains(github.event.review.body || '', '@claude') to prevent runtime errors
when review.body is missing.

permissions:
contents: read
pull-requests: read
issues: read
id-token: write
actions: read # Required for Claude to read CI results on PRs
Comment on lines +21 to +26
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Re-verify the need for id-token: write

anthropics/claude-code-action@beta performs only REST-API calls and does not request an OIDC token (checked in the action source). Granting id-token: write therefore unnecessarily broadens the token surface.

Unless you have an internal fork that consumes OIDC, drop this permission:

-      id-token: write

#!/bin/bash
set -euo pipefail

echo "🔍 Fetching Claude action source (beta)…"
curl -sSL https://github.com/anthropics/claude-code-action/beta/dist/index.js -o /tmp/claude-dist.js

echo "🔎 Checking for OIDC/GetIDToken usage in dist/index.js"
grep -R -n "getIDToken" /tmp/claude-dist.js || echo "✔️ No getIDToken calls found"

echo "🔎 Checking for oidcToken references in dist/index.js"
grep -R -n "oidcToken" /tmp/claude-dist.js || echo "✔️ No oidcToken references"

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "🔍 Fetching anthopics/claude-code-action@beta dist/index.js…"
curl -sSL https://github.com/anthropics/claude-code-action/beta/dist/index.js -o /tmp/claude-dist.js

echo "🔎 Searching for getIDToken references…"
grep -n "getIDToken" /tmp/claude-dist.js || echo "✔️ No getIDToken references found"

echo "🔎 Searching for oidcToken references…"
grep -n "oidcToken" /tmp/claude-dist.js || echo "✔️ No oidcToken references found"

Length of output: 677

Drop unnecessary id-token: write permission

After inspecting anthropics/claude-code-action@beta’s compiled source (no getIDToken or oidcToken usage), the action doesn’t request an OIDC token. You can safely remove the extra permission to tighten security.

• File: .github/workflows/claude.yml (lines 21–26)
• Remove this line:

-      id-token: write
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
contents: read
pull-requests: read
issues: read
id-token: write
actions: read # Required for Claude to read CI results on PRs
permissions:
contents: read
pull-requests: read
issues: read
actions: read # Required for Claude to read CI results on PRs
🤖 Prompt for AI Agents 
In .github/workflows/claude.yml between lines 21 and 26, remove the line
granting `id-token: write` permission as it is unnecessary for the
`anthropics/claude-code-action@beta` action. This will tighten security by
limiting permissions to only those required.

steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1

- name: Run Claude Code
id: claude
uses: anthropics/claude-code-action@beta
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

# This is an optional setting that allows Claude to read CI results on PRs
additional_permissions: |
actions: read
# Optional: Specify model (defaults to Claude Sonnet 4, uncomment for Claude Opus 4)
# model: "claude-opus-4-20250514"

# Optional: Customize the trigger phrase (default: @claude)
# trigger_phrase: "/claude"

# Optional: Trigger when specific user is assigned to an issue
# assignee_trigger: "claude-bot"

# Optional: Allow Claude to run specific commands
# allowed_tools: "Bash(npm install),Bash(npm run build),Bash(npm run test:*),Bash(npm run lint:*)"

# Optional: Add custom instructions for Claude to customize its behavior for your project
# custom_instructions: |
# Follow our coding standards
# Ensure all new code has tests
# Use TypeScript for new files

# Optional: Custom environment variables for Claude
# claude_env: |
# NODE_ENV: test

Loading