Add Claude Code GitHub Workflow

[Tony363]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

Summary by Sourcery

Integrate Claude Code into the repository via GitHub Actions by adding two workflows: one for automatic PR reviews and another for on-demand AI assistance through @claude mentions.

New Features:

• Add a claude-code-review workflow to run automated code reviews with Claude Code on pull request open and synchronize events
• Add a claude workflow to trigger Claude Code actions in response to @claude mentions on issues, pull request comments, and review submissions

CI:

• Use the anthropics/claude-code-action@beta action with the CLAUDE_CODE_OAUTH_TOKEN secret for authenticated AI interactions

[sourcery-ai]

Reviewer's Guide

This PR introduces two GitHub Actions workflows that integrate the Claude Code AI agent: an automated review workflow for pull requests and an interactive workflow triggered by @claude mentions in issues and comments.

Sequence diagram for interactive Claude Code workflow triggered by @claude mention

sequenceDiagram
  actor User
  participant GitHub
  participant "Claude Code Workflow"
  participant "Claude Code Action"
  participant "Claude AI Service"

  User->>GitHub: Create comment with @claude mention
  GitHub->>"Claude Code Workflow": Trigger workflow (claude.yml)
  "Claude Code Workflow"->>"Claude Code Action": Run action with context
  "Claude Code Action"->>"Claude AI Service": Send context and request
  "Claude AI Service"-->>"Claude Code Action": Return response
  "Claude Code Action"->>GitHub: Post comment/commit/branch as needed

Loading

Sequence diagram for automated Claude Code review on PR open/sync

sequenceDiagram
  participant GitHub
  participant "Claude Code Review Workflow"
  participant "Claude Code Action"
  participant "Claude AI Service"

  GitHub->>"Claude Code Review Workflow": PR opened or synchronized
  "Claude Code Review Workflow"->>"Claude Code Action": Run action with PR context
  "Claude Code Action"->>"Claude AI Service": Send PR context and review prompt
  "Claude AI Service"-->>"Claude Code Action": Return review feedback
  "Claude Code Action"->>GitHub: Post review comment on PR

Loading

File-Level Changes

Change	Details	Files
Add automated PR review workflow using Claude Code AI	Define pull_request trigger (opened, synchronize) Set job permissions and checkout step Configure anthropics/claude-code-action with direct_prompt and OAuth token	.github/workflows/claude-code-review.yml
Add interactive Claude Code trigger workflow for comments and issues	Define issue_comment, pull_request_review_comment, issues, pull_request_review triggers Add conditional filter for @claude mentions in events Configure anthropics/claude-code-action with additional permissions and OAuth token	.github/workflows/claude.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

Blocking issues:

• An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. (link)
• An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. (link)

General comments:

• Add write permissions (e.g., pull-requests: write or issues: write) to your workflow so that the action can post review comments back to the PR or issue.
• Consider restricting the direct_prompt workflow to only run when a specific label, title flag, or comment trigger is present to avoid running automatic reviews on every PR open/synchronize event.
• You might consolidate the two separate YAML workflows into a single file with conditional steps, which will simplify maintenance and reduce duplication.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Add write permissions (e.g., `pull-requests: write` or `issues: write`) to your workflow so that the action can post review comments back to the PR or issue.
- Consider restricting the direct_prompt workflow to only run when a specific label, title flag, or comment trigger is present to avoid running automatic reviews on every PR open/synchronize event.
- You might consolidate the two separate YAML workflows into a single file with conditional steps, which will simplify maintenance and reduce duplication.

## Individual Comments

### Comment 1
<location> `.github/workflows/claude-code-review.yml:36` </location>
<code_context>
        uses: anthropics/claude-code-action@beta
</code_context>

<issue_to_address>
**security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha):** An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

*Source: opengrep*
</issue_to_address>

### Comment 2
<location> `.github/workflows/claude.yml:35` </location>
<code_context>
        uses: anthropics/claude-code-action@beta
</code_context>

<issue_to_address>
**security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha):** An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

*Source: opengrep*
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

Source: opengrep

[sourcery-ai]

security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

Source: opengrep