Skip to content

Add Claude Code GitHub Workflow #2839

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
matt-aitken merged 4 commits into from
Jan 6, 2026
Merged

Add Claude Code GitHub Workflow #2839

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
bae3538
"Claude PR Assistant workflow"
ericallam Jan 6, 2026
069bef3
"Claude Code Review workflow"
ericallam Jan 6, 2026
dec684e
Refactor claude_args for better readability
ericallam Jan 6, 2026
ef87695
Add model specification for Claude in workflow
ericallam Jan 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 59 additions & 0 deletions .github/workflows/claude-code-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
name: Claude Code Review

on:
pull_request:
types: [opened, synchronize]
# Optional: Only run on specific file changes
# paths:
# - "src/**/*.ts"
# - "src/**/*.tsx"
# - "src/**/*.js"
# - "src/**/*.jsx"

jobs:
claude-review:
# Optional: Filter by PR author
# if: |
# github.event.pull_request.user.login == 'external-contributor' ||
# github.event.pull_request.user.login == 'new-developer' ||
# github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'

runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
Copy link

@cursor cursor bot Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Insufficient permissions prevent Claude from commenting on PRs

High Severity

The workflow explicitly instructs Claude to use gh pr comment to leave review comments and includes Bash(gh pr comment:*) in allowed tools, but the permissions block only grants pull-requests: read. The gh CLI uses the workflow's GITHUB_TOKEN, which is constrained by these permissions. The command will fail with a 403 error because write access is required. Changing to pull-requests: write is needed for the workflow to function as designed.

Fix in Cursor Fix in Web

issues: read
id-token: write
Comment on lines +22 to +26
Copy link
Contributor

@coderabbitai coderabbitai bot Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Missing write permission for pull-requests will cause gh pr comment to fail.

The prompt instructs Claude to use gh pr comment (line 52), but the workflow only grants pull-requests: read. The gh pr comment command requires write access to post comments.

🔎 Proposed fix 
     permissions:
       contents: read
-      pull-requests: read
+      pull-requests: write
       issues: read
       id-token: write
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
contents: read
pull-requests: read
issues: read
id-token: write
permissions:
contents: read
pull-requests: write
issues: read
id-token: write
🤖 Prompt for AI Agents 
In @.github/workflows/claude-code-review.yml around lines 22 - 26, The
workflow's permissions block grants only read access to pull-requests, but the
job uses the gh CLI to run "gh pr comment" which requires write permission;
update the permissions section by changing the pull-requests permission from
read to write (i.e., set pull-requests: write) so the "gh pr comment" command
can post comments; ensure the permissions block still includes contents: read,
issues: read, and id-token: write unchanged.


steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1

- name: Run Claude Code Review
id: claude-review
uses: anthropics/claude-code-action@v1
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
prompt: |
REPO: ${{ github.repository }}
PR NUMBER: ${{ github.event.pull_request.number }}

Please review this pull request and provide feedback on:
- Code quality and best practices
- Potential bugs or issues
- Performance considerations
- Security concerns
- Test coverage

Use the repository's CLAUDE.md for guidance on style and conventions. Be constructive and helpful in your feedback.

Use `gh pr comment` with your Bash tool to leave your review as a comment on the PR.

# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
# or https://code.claude.com/docs/en/cli-reference for available options
claude_args: |
--allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"
--model claude-opus-4-5-20251101

53 changes: 53 additions & 0 deletions .github/workflows/claude.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
name: Claude Code

on:
issue_comment:
types: [created]
pull_request_review_comment:
types: [created]
issues:
types: [opened, assigned]
pull_request_review:
types: [submitted]

jobs:
claude:
if: |
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
Copy link

@cursor cursor bot Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assigned event triggers Claude for stale @claude mentions

Medium Severity

The workflow triggers on issues: [opened, assigned] but the if condition on line 19 only checks if github.event.issue.body or title contains @claude. When an issue is assigned, the body/title is unchanged from when it was created. If an issue was created months ago with @claude in the body, assigning that issue today will re-trigger Claude responding to that old mention. The condition is missing a check for github.event.action == 'opened' to distinguish new mentions from stale ones, causing unintended duplicate Claude responses.

Fix in Cursor Fix in Web

runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
issues: read
id-token: write
actions: read # Required for Claude to read CI results on PRs
Copy link

@cursor cursor bot Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Read-only permissions block Claude from commenting and committing

High Severity

The PR description states Claude can "create comments, branches, and commits", but the workflow only grants read permissions for contents, pull-requests, and issues. When users mention @claude requesting actions that modify the repository or leave comments, those operations will fail because the GITHUB_TOKEN lacks write access. The permissions need to include write access for the intended operations to work.

Fix in Cursor Fix in Web

steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1

- name: Run Claude Code
id: claude
uses: anthropics/claude-code-action@v1
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

# This is an optional setting that allows Claude to read CI results on PRs
additional_permissions: |
actions: read

claude_args: |
--model claude-opus-4-5-20251101

# Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.
# prompt: 'Update the pull request description to include a summary of changes.'

# Optional: Add claude_args to customize behavior and configuration
# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
# or https://code.claude.com/docs/en/cli-reference for available options
# claude_args: '--allowed-tools Bash(gh pr:*)'

Loading