Add Claude Code GitHub Workflow

[StuMason]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

[claude]

Code Review for PR #23: Add Claude Code GitHub Workflow

Thank you for setting up the Claude Code integration! This PR makes significant improvements to both workflow files. Here's my detailed review:

---

✅ Positive Changes

Security Improvements

1. Reduced Permissions (claude-code-review.yml:23-24): Changed pull-requests from write to read - excellent security hardening! Claude can still comment via gh CLI without needing write permissions at the workflow level.

2. Removed Node.js Setup (claude.yml:18-22): Eliminated unnecessary setup-node and npm ci steps, reducing attack surface and workflow complexity.

3. Reduced Permissions (claude.yml:22-26): Changed multiple permissions from write to read - follows principle of least privilege.

Performance & Efficiency

1. Optimized Fetch Depth: Changed from fetch-depth: 0 to fetch-depth: 1 in both workflows, significantly reducing checkout time by not fetching full git history.

2. Cleaner Prompts: The new prompt in claude-code-review.yml is more concise and actionable compared to the verbose previous version.

Configuration Improvements

1. Better Documentation: Added helpful comments for optional path filtering and PR author filtering.

2. Scoped Tool Access (claude-code-review.yml:56): Explicitly listed allowed gh commands instead of allowing all Read/Glob/Grep tools - more restrictive and intentional.

---

🔍 Issues & Recommendations

High Priority

1. Removed GITHUB_TOKEN (claude.yml:31)

• Issue: Removed token parameter from checkout step
• Impact: May cause issues if Claude needs to push branches or access private repositories
• Recommendation: Add it back if Claude needs write access, or document why it was removed

2. Workflow Won't Trigger for This PR

• Issue: The PR description states workflow won't take effect until PR is merged
• Reality: This is correct - workflow file changes in a PR don't affect that PR itself
• Recommendation: Consider testing the workflow on a separate branch/PR after merging

Medium Priority

3. Commented Out Tool Permissions (claude.yml:49)

• Issue: The claude_args is commented out, meaning Claude has access to ALL tools by default
• Security Concern: This is potentially risky - Claude could run any bash command, modify files, etc.
• Recommendation: Either uncomment and specify allowed tools, OR document why unrestricted access is acceptable for this use case

4. Missing CLAUDE.md Reference

• Issue: claude-code-review.yml:50 references CLAUDE.md for style guidance, but this file doesn't exist
• Impact: Claude can't follow repository-specific conventions
• Recommendation: Either create CLAUDE.md with project conventions, OR update prompt to reference existing docs

Low Priority

5. Inconsistent Tool Permissions

• Observation: claude-code-review.yml restricts to specific gh commands, but claude.yml allows everything
• Recommendation: Consider aligning both workflows to use similar tool restriction patterns for consistency

6. No Error Handling Guidance

• Observation: No guidance on what happens if Claude fails or produces unhelpful reviews
• Recommendation: Add documentation on how to handle failed runs or how to re-trigger

---

🎯 Best Practices Followed

✅ Principle of least privilege (permissions)
✅ Clear, focused prompts
✅ Helpful inline documentation
✅ Efficient git operations (shallow clone)
✅ Removed unnecessary dependencies

---

📋 Suggested Action Items

Before merging:

1. ⚠️ Review removed GITHUB_TOKEN - add back if needed
2. ⚠️ Either uncomment and configure claude_args in claude.yml OR document why unrestricted access is safe
3. Create CLAUDE.md or update prompt to reference existing style guides

After merging:

1. Test workflow on a new PR
2. Monitor initial runs for any permission issues
3. Consider creating CLAUDE.md with project-specific conventions

---

🏁 Overall Assessment

This PR makes significant security and performance improvements to the Claude Code workflows. The changes demonstrate good understanding of GitHub Actions best practices.

The main concerns are:

• Potentially too permissive tool access in claude.yml
• Missing CLAUDE.md file referenced in prompts
• Removed GITHUB_TOKEN may cause issues

Recommendation: Address the high-priority items above before merging, or document why the current approach is intentional.

---

Review conducted by Claude Code • Please verify all suggestions align with your security and operational requirements