From 49bb11b5884bf59a077efd8617691f56e08b9b03 Mon Sep 17 00:00:00 2001
From: Dmytro Sydorov <dmytro.sydorov@loft.sh>
Date: Mon, 30 Mar 2026 13:17:13 +0200
Subject: [PATCH] ci: add claude reusable workflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Extracts the Claude Code agent workflow (triggered by @claude mentions
in PRs and reviews) as a reusable workflow_call workflow.

Source: identical workflow in loft-enterprise and vcluster-pro.

Changes from source:
- SHA-pinned actions/checkout and anthropics/claude-code-action
- Added persist-credentials: false on checkout
- Parameterized ANTHROPIC_API_KEY as a workflow_call secret
- Scoped to PR events only (issue_comment, review_comment, review)
- Dropped issues trigger — not needed for current use cases
- Write permissions for contents and pull-requests so Claude can respond
- Removed id-token: write (not needed with direct API key)
- Removed redundant additional_permissions input
- No fork guard needed — claude-code-action checks actor write access
---
 .github/workflows/claude.yaml | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 .github/workflows/claude.yaml

diff --git a/.github/workflows/claude.yaml b/.github/workflows/claude.yaml
new file mode 100644
index 0000000..9cd405d
--- /dev/null
+++ b/.github/workflows/claude.yaml
@@ -0,0 +1,32 @@
+name: Claude Code
+
+on:
+  workflow_call:
+    secrets:
+      anthropic-api-key:
+        description: 'Anthropic API key for Claude Code agent'
+        required: true
+
+jobs:
+  claude:
+    if: |
+      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude'))
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 1
+          persist-credentials: false
+
+      - name: Run Claude Code
+        id: claude
+        uses: anthropics/claude-code-action@88c168b39e7e64da0286d812b6e9fbebb6708185 # v1
+        with:
+          anthropic_api_key: ${{ secrets.anthropic-api-key }} # zizmor: ignore[secrets-outside-env] -- API key passed via workflow_call, not a repo secret