You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.
What is Claude Code?
Claude Code is an AI coding agent that can help with:
Bug fixes and improvements
Documentation updates
Implementing new features
Code reviews and suggestions
Writing tests
And more!
How it works
Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.
Important Notes
This workflow won't take effect until this PR is merged
@claude mentions won't work until after the merge is complete
The workflow runs automatically whenever Claude is mentioned in PR or issue comments
Claude gets access to the entire PR or issue context including files, diffs, and previous comments
Security
Our Anthropic API key is securely stored as a GitHub Actions secret
Only users with write access to the repository can trigger the workflow
All Claude runs are stored in the GitHub Actions run history
Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
We can add more allowed tools by adding them to the workflow file like:
allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)
Code Review: Claude Code GitHub Workflow Integration
Thank you for adding Claude Code integration to this repository! I've reviewed the proposed workflows and have the following feedback:
✅ Strengths
Clear Documentation: The PR description provides excellent context about what Claude Code is and how it works
Security-First Approach: API key is properly stored as a GitHub secret
Appropriate Permissions: Both workflows use minimal required permissions (read-only for most resources)
Flexible Configuration: Good use of commented-out examples for optional filters
🔍 Code Quality & Best Practices
.github/workflows/claude-code-review.yml
Issues:
Missing write Permission: The workflow needs pull-requests: write permission to post review comments. Currently, it only has pull-requests: read, which will cause the gh pr comment command to fail.
Recommended fix:
permissions:
contents: readpull-requests: write # Changed from 'read' to 'write'issues: readid-token: write
Limited Tool Access: The allowed-tools configuration only permits gh commands. For a Discourse project (Ruby on Rails + Ember.js), Claude may need additional tools to properly review code:
Linting tools (rubocop, eslint, prettier)
Test runners (rspec, qunit)
Build tools (bundle, pnpm)
Prompt Enhancement: The review prompt should reference the project's specific guidelines from CLAUDE.md and AI-AGENTS.md
Resource Optimization: Consider adding concurrency controls like other workflows in this repo
.github/workflows/claude.yml
Issues:
Missing write Permissions: This workflow also needs write permissions to function properly:
permissions:
contents: write # To create branches/commitspull-requests: write # To comment on PRsissues: write # To comment on issuesid-token: writeactions: read
No Tool Restrictions: The commented-out claude_args shows no tool restrictions. For security, consider explicitly allowing only necessary tools rather than relying on defaults.
🔒 Security Concerns
Workflow Trigger Security:
The claude-code-review.yml runs on ALL PRs without filtering. This could consume API quota on spam/bot PRs.
Consider uncommenting the author filter to limit to specific users or first-time contributors.
Secret Management:
Ensure ANTHROPIC_API_KEY secret is set at repository level before merging
Consider documenting who has access to manage this secret
Tool Access Scope:
The interactive workflow (claude.yml) has broader capabilities than the review workflow
Document that users with write access can invoke Claude with any prompt
Consider rate limiting or monitoring usage
⚡ Performance Considerations
Checkout Depth: Both workflows use fetch-depth: 1, which is good for performance
Workflow Redundancy: Both workflows will run on PRs if Claude is mentioned AND the PR is opened/synchronized. This could be wasteful.
Resource Costs: Claude API calls can be expensive on large PRs. Consider adding file size/count limits.
🧪 Test Coverage
Missing:
No way to test these workflows before merging
Recommendation: Test on a draft PR first after merging
📝 Additional Recommendations
Documentation: Create .github/CLAUDE_USAGE.md documenting usage, commands, and troubleshooting
Monitoring: After deployment, monitor GitHub Actions usage/costs and Anthropic API usage
Discourse-Specific Context: The prompts should emphasize Discourse's architecture:
Ruby on Rails backend with Guardian authorization
Ember.js frontend with Glimmer components
FormKit for forms
Site settings configuration
Service objects pattern
🎯 Required Changes Before Merge
✅ Fix permissions in both workflows (pull-requests: write, issues: write, contents: write where needed)
✅ Verify ANTHROPIC_API_KEY secret is configured
⚠️Consider tool access scope for security
💡 Suggested Improvements (Optional)
Add concurrency controls
Expand allowed tools for better code review capabilities
Enhance prompts with Discourse-specific context
Add author/path filters to reduce unnecessary runs
Create usage documentation
Overall, this is a valuable addition to the repository! The main blockers are the permission issues. Once those are fixed, I'd recommend a gradual rollout (perhaps testing on a few PRs first) before enabling for all PRs.
Status: ⚠️ Changes Requested - Please fix the permission issues before merging.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Installing Claude Code GitHub App
This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.
What is Claude Code?
Claude Code is an AI coding agent that can help with:
How it works
Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.
Important Notes
Security
There's more information in the Claude Code action repo.
After merging this PR, let's try mentioning @claude in a comment on any PR to get started!