Add claude GitHub actions 1767101104580

[Luodian]

Before you open a pull-request, please check if a similar issue already exists or has been closed before.

When you open a pull-request, please be sure to include the following

• A descriptive title: [xxx] XXXX
• A detailed description

If you meet the lint warnings, you can use following scripts to reformat code.

pip install pre-commit
pre-commit install
pre-commit run --all-files

Ask for review

Once you feel comfortable for your PR, feel free to @ one of the contributors to review

General: @Luodian @kcz358 @pufanyi
Audio: @pbcong @ngquangtrung57

Thank you for your contributions!

[claude]

Code Review - PR #958

Thank you for adding Claude GitHub Actions workflows! I've reviewed the changes and have the following feedback:

Overview

This PR adds two GitHub Actions workflows to enable Claude Code integration:

1. claude-code-review.yml - Automated code review on PRs
2. claude.yml - Claude assistant triggered via @mentions

Code Quality & Best Practices

✅ Strengths

• Clean, well-structured YAML syntax
• Good use of comments to explain optional configurations
• Appropriate permissions scoping (read permissions for most resources)
• Consistent with existing workflow patterns (similar to lint.yml)

⚠️ Issues & Recommendations

1. Inconsistent checkout action versions

• lint.yml uses actions/checkout@v3
• New workflows use actions/checkout@v4

Recommendation: Update to @v4 consistently across all workflows for security patches and latest features. Consider updating lint.yml in a separate PR.

2. Fetch depth inconsistency

• lint.yml: fetch-depth: 0 (full history)
• New workflows: fetch-depth: 1 (shallow clone)
• claude-code-review.yml may need deeper history for proper PR diff analysis

Recommendation: For claude-code-review.yml, consider using fetch-depth: 0 or at minimum the depth needed to compare with the base branch. This ensures Claude can access the full context of changes.

3. Missing file path filters

• claude-code-review.yml has commented-out path filters for TypeScript/JavaScript files
• This is a Python project (per CLAUDE.md guidelines)

Recommendation: Update the commented examples to reflect Python files:

# paths:
#   - "lmms_eval/**/*.py"
#   - "tests/**/*.py"
#   - "pyproject.toml"
#   - "uv.lock"

4. Workflow naming consistency

• lint.yml: name is "Lint"
• New files: "Claude Code Review" and "Claude Code"

Recommendation: Consider more descriptive names like:

• "Claude Code Review" → "Claude: Automated PR Review"
• "Claude Code" → "Claude: Assistant"

This makes the purpose clearer in the GitHub Actions UI.

5. Security: Secret handling

• Both workflows use CLAUDE_CODE_OAUTH_TOKEN secret
• No validation that the secret exists

Recommendation: While GitHub Actions will fail gracefully if the secret is missing, consider adding a step to validate the secret exists or documenting the setup process in the PR description.

6. Trigger conditions complexity

• claude.yml has a complex if condition spanning multiple event types
• This could be hard to maintain

Recommendation: Consider splitting into separate jobs or documenting the logic with inline comments.

Potential Bugs

1. Submodule handling

• lint.yml includes submodules: true
• New workflows don't specify this

Question: Does this repository use submodules? If yes, the new workflows should include:

with:
  submodules: true
  fetch-depth: 0

Performance Considerations

1. Shallow clone (fetch-depth: 1)

• Good for performance on the claude.yml workflow
• May be insufficient for claude-code-review.yml if it needs to compare with base branch

2. No caching strategy

• The workflows don't cache any dependencies
• Since they use external actions, this may not be necessary, but worth considering if the action downloads large assets

Security Concerns

1. Token permissions ✅

• Appropriately scoped with minimal permissions
• id-token: write is properly included for OIDC

2. PR from forks

• These workflows will run on PRs from external contributors
• The pull_request trigger on claude-code-review.yml is safe as it runs in the context of the base repo
• The CLAUDE_CODE_OAUTH_TOKEN secret won't be exposed to forks ✅

3. Command injection via comments ⚠️

• claude.yml processes user comments that contain @claude
• The action should handle this safely, but verify the action sanitizes input

Test Coverage

Missing:

• No tests for the workflows themselves
• No documentation on how to test these workflows locally

Recommendation:

1. Add a section to the PR description explaining:
   • How to set up the CLAUDE_CODE_OAUTH_TOKEN secret
   • How to test the workflows (perhaps on a fork first)
   • Expected behavior when triggered
2. Consider adding workflow testing using act or similar tools

Documentation

Missing:

1. No update to README.md or docs explaining the new Claude integration
2. No instructions in CLAUDE.md about the automated review process
3. PR description is mostly the template - needs actual description of changes

Recommendation:
Add documentation covering:

• What these workflows do
• How to set them up (secret configuration)
• How to use @claude in issues/PRs
• Expected review criteria for automated reviews

Style & Conventions

Per CLAUDE.md guidelines:

• ✅ Follows existing patterns (similar structure to lint.yml)
• ✅ YAML formatting is clean and readable
• ⚠️ Could benefit from more inline comments explaining non-obvious configurations

Summary

Overall Assessment: Good addition that will enhance the development workflow. The implementation is solid but needs:

1. Critical:

   • Fix fetch-depth for claude-code-review.yml to ensure proper PR analysis
   • Update path filter examples to Python files
   • Add proper PR description

2. Recommended:

   • Align checkout action versions across all workflows
   • Add documentation for setup and usage
   • Consider adding submodules configuration if needed

3. Optional:

   • Improve workflow naming for clarity
   • Add workflow testing instructions
   • Simplify trigger conditions in claude.yml

Verdict: Approve with minor changes requested. The workflows are functional but would benefit from the consistency improvements and documentation additions mentioned above.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Grant write perms so review comment can be posted

This job only grants read permissions for pull-requests/issues, but the prompt later instructs the action to run gh pr comment to post the review. Creating a PR comment is a write operation, so with read-only scopes the gh pr comment call will fail (HTTP 403) and the review never gets posted. In practice this breaks the main purpose of the workflow for any run unless you add pull-requests: write (or issues: write) to the job permissions.

Useful? React with 👍 / 👎.