Skip to content

Add Claude Code GitHub Workflow #1238

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sbryngelson merged 4 commits into from
Feb 22, 2026
Merged

Add Claude Code GitHub Workflow #1238

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
41fb7d1
"Claude PR Assistant workflow"
sbryngelson Feb 22, 2026
bac6744
"Claude Code Review workflow"
sbryngelson Feb 22, 2026
2fda702
Update .github/workflows/claude.yml
sbryngelson Feb 22, 2026
d2e9b7f
Update .github/workflows/claude-code-review.yml
sbryngelson Feb 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions .github/workflows/claude-code-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
name: Claude Code Review

on:
pull_request:
types: [opened, synchronize, ready_for_review, reopened]
Comment on lines +4 to +5
Copy link
Contributor

@coderabbitai coderabbitai bot Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

synchronize trigger fires Claude review on every commit push to any open PR.

Without a path or author filter, each new commit pushed to a PR (including fixup commits) triggers a full Claude review run. For an active repo this can generate significant API costs and redundant review noise. Consider scoping with the paths: filter or limiting to meaningful events like opened and ready_for_review only, or use the commented-out author filter to restrict to specific contributors.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude-code-review.yml around lines 4 - 5, The
pull_request workflow currently triggers on the synchronize event which causes a
Claude review on every commit; update the pull_request trigger (the pull_request
key and its types array) to remove "synchronize" or replace it with a more
selective setup: either limit to only ["opened","ready_for_review","reopened"]
or add a paths: filter (or enable the commented author filter) so only
meaningful PRs or specific files/authors invoke the workflow; modify the types
array and/or add a paths or author filter accordingly to reduce redundant runs.

Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: Add issue_comment and pull_request_review_comment triggers to allow the workflow to run on comments as described in the PR.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/claude-code-review.yml, line 5:

<comment>Add `issue_comment` and `pull_request_review_comment` triggers to allow the workflow to run on comments as described in the PR.</comment>

<file context>
@@ -0,0 +1,44 @@
+
+on:
+  pull_request:
+    types: [opened, synchronize, ready_for_review, reopened]
+    # Optional: Only run on specific file changes
+    # paths:
</file context>

# Optional: Only run on specific file changes
# paths:
# - "src/**/*.ts"
# - "src/**/*.tsx"
# - "src/**/*.js"
# - "src/**/*.jsx"

jobs:
claude-review:
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: This workflow will fail with an authentication error on every PR opened from a fork, because the pull_request event does not expose repository secrets to fork-sourced workflows. Since this is an open-source project, fork PRs are the common case. Add a fork guard condition to skip the job for external contributions.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/claude-code-review.yml, line 14:

<comment>This workflow will fail with an authentication error on every PR opened from a fork, because the `pull_request` event does not expose repository secrets to fork-sourced workflows. Since this is an open-source project, fork PRs are the common case. Add a fork guard condition to skip the job for external contributions.</comment>

<file context>
@@ -0,0 +1,44 @@
+    #   - "src/**/*.jsx"
+
+jobs:
+  claude-review:
+    # Optional: Filter by PR author
+    # if: |
</file context>

# Optional: Filter by PR author
# if: |
# github.event.pull_request.user.login == 'external-contributor' ||
# github.event.pull_request.user.login == 'new-developer' ||
# github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
Comment on lines +13 to +19
Copy link
Contributor

@coderabbitai coderabbitai bot Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Missing fork PR guard will cause authentication failures for every external contributor.

The pull_request event does not pass repository secrets to fork-sourced PRs. CLAUDE_CODE_OAUTH_TOKEN will be an empty string for any PR opened from a fork, causing the workflow to fail with an auth error on every external contribution. MFC is an open-source project, so this will be the common case.

🐛 Proposed fix: add a fork guard to the job 
 jobs:
   claude-review:
+    if: github.event.pull_request.head.repo.full_name == github.repository
     # Optional: Filter by PR author
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude-code-review.yml around lines 13 - 19, The workflow
job claude-review runs on pull_request and expects the secret
CLAUDE_CODE_OAUTH_TOKEN, but secrets are not available for forked PRs causing
auth failures; add a fork-guard conditional to the job (e.g., on the
claude-review job add an if: that checks the PR head repo equals the base repo
such as comparing github.event.pull_request.head.repo.full_name to
github.repository or similar) so the job is skipped for forked PRs and won’t
attempt to use CLAUDE_CODE_OAUTH_TOKEN for external contributions.


runs-on: ubuntu-latest
permissions:
contents: read
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: Change permissions to write so Claude can create comments, commits, and branches as intended.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/claude-code-review.yml, line 23:

<comment>Change permissions to `write` so Claude can create comments, commits, and branches as intended.</comment>

<file context>
@@ -0,0 +1,44 @@
+
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      issues: read
</file context>

pull-requests: write
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: Elevating pull-requests to write without a fork PR guard will cause authentication failures for every external contributor. The pull_request event does not pass repository secrets to fork-sourced PRs, so CLAUDE_CODE_OAUTH_TOKEN will be empty for any PR opened from a fork — the common case for an open-source project like MFC. Add an if condition on the job to skip fork PRs:

jobs:
  claude-review:
    if: github.event.pull_request.head.repo.full_name == github.repository
Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/claude-code-review.yml, line 24:

<comment>Elevating `pull-requests` to `write` without a fork PR guard will cause authentication failures for every external contributor. The `pull_request` event does not pass repository secrets to fork-sourced PRs, so `CLAUDE_CODE_OAUTH_TOKEN` will be empty for any PR opened from a fork — the common case for an open-source project like MFC. Add an `if` condition on the job to skip fork PRs:

```yaml
jobs:
  claude-review:
    if: github.event.pull_request.head.repo.full_name == github.repository
```</comment>

<file context>
@@ -21,7 +21,7 @@ jobs:
     permissions:
       contents: read
-      pull-requests: read
+      pull-requests: write
       issues: read
       id-token: write
</file context>

issues: read
id-token: write

steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1

- name: Run Claude Code Review
id: claude-review
uses: anthropics/claude-code-action@v1
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
plugins: 'code-review@claude-code-plugins'
prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P0: Remove or conditionally apply the prompt input so Claude can respond to @claude mentions as intended in the PR.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/claude-code-review.yml, line 41:

<comment>Remove or conditionally apply the `prompt` input so Claude can respond to `@claude` mentions as intended in the PR.</comment>

<file context>
@@ -0,0 +1,44 @@
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
+          plugins: 'code-review@claude-code-plugins'
+          prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'
+          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
+          # or https://code.claude.com/docs/en/cli-reference for available options
</file context>

# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
# or https://code.claude.com/docs/en/cli-reference for available options

50 changes: 50 additions & 0 deletions .github/workflows/claude.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
name: Claude Code

on:
issue_comment:
types: [created]
pull_request_review_comment:
types: [created]
issues:
types: [opened, assigned]
pull_request_review:
types: [submitted]

jobs:
claude:
if: |
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
issues: write
id-token: write
actions: read # Required for Claude to read CI results on PRs
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1

- name: Run Claude Code
id: claude
uses: anthropics/claude-code-action@v1
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

# This is an optional setting that allows Claude to read CI results on PRs
additional_permissions: |
actions: read

# Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.
# prompt: 'Update the pull request description to include a summary of changes.'

# Optional: Add claude_args to customize behavior and configuration
# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
# or https://code.claude.com/docs/en/cli-reference for available options
# claude_args: '--allowed-tools Bash(gh pr:*)'

Loading