Add Claude Code GitHub Workflow

[Oba-One]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
cookie-jar	Error		Feb 12, 2026 2:18am

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Added automated code review integration for pull requests
  • Enabled Claude invocation via comments and review interactions

Walkthrough

Two new GitHub Actions workflows are introduced to integrate Claude-powered code review and interaction features into the repository. The first automatically runs code reviews on pull requests, while the second enables Claude to respond to mentions in comments and reviews when triggered.

Changes

Cohort / File(s)	Summary
Claude Code Review Workflow .github/workflows/claude-code-review.yml	Introduces automated code review workflow triggered on pull request lifecycle events (opened, synchronize, ready_for_review, reopened). Invokes Claude Code Review action with repository context and PR number configuration. Includes optional path and author-based filtering logic (commented).
Claude Code Interaction Workflow .github/workflows/claude.yml	Introduces interactive workflow triggered on issue comments, pull request review comments, issues, and pull request reviews. Activates only when @claude is mentioned. Integrates Claude Code action with additional CI result reading permissions and optional customization fields (commented).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A rabbit hops into the workflow, so keen,
With Claude by its side, code reviews pristine,
Comments and mentions, now Claude can see,
Hopping through PRs with agility free! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding GitHub Actions workflows for Claude Code integration.
Description check	✅ Passed	The description is directly related to the changeset, explaining what Claude Code is, how it works, security implications, and next steps for using the new workflows.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch add-claude-github-actions-1770862588844

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In @.github/workflows/claude-code-review.yml:
- Around line 22-26: Update the GitHub Actions workflow permissions to grant
write access so the Claude Code Review action can post comments and modify repo
state: change the permissions keys in the workflow from contents: read to
contents: write, pull-requests: read to pull-requests: write, and issues: read
to issues: write (the permission entries shown as contents, pull-requests, and
issues should be switched to write).

In @.github/workflows/claude.yml:
- Around line 21-26: Update the GitHub Actions permissions in the permissions
block so Claude can post comments: change the keys pull-requests and issues from
read to write (i.e., set pull-requests: write and issues: write) so the workflow
has the necessary write access for commenting; leave other permissions
(contents, id-token, actions) as-is.
- Around line 15-19: The workflow if-condition currently only checks for
'@claude' in comment/title bodies and must also verify author_association to
restrict who can trigger the job; update the four event checks that reference
github.event.comment.body, github.event.review.body, github.event.issue.body,
and github.event.issue.title to also require the matching author association
field (e.g. github.event.comment.author_association,
github.event.review.author_association, github.event.issue.author_association)
be a trusted value (either != 'NONE' or explicitly one of
'MEMBER'|'OWNER'|'COLLABORATOR' per your desired strictness) so only authorized
users can trigger the workflow.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 22d15b0 and b1ebaf4.

📒 Files selected for processing (2)

• .github/workflows/claude-code-review.yml
• .github/workflows/claude.yml

🔇 Additional comments (2)

.github/workflows/claude-code-review.yml (1)

1-44: Workflow configuration and plugin setup look reasonable.

The trigger events, checkout step, and plugin configuration for the code-review plugin are well-structured. The commented-out sections for path filtering and author filtering provide useful guidance for future customization.

.github/workflows/claude.yml (1)

3-11: Trigger events and action configuration look good.

The event triggers are comprehensive for handling various interaction points (issue comments, PR review comments, issues, PR reviews). The optional additional_permissions for reading CI results and the commented-out customization options are well-documented.

Also applies to: 27-49

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, let's examine the actual workflow file to get full context
git ls-files '.github/workflows/*.yml' | head -20

Repository: greenpill-dev-guild/cookie-jar

Length of output: 392

---

🏁 Script executed:

# Read the workflow file to see the complete configuration
cat -n .github/workflows/claude-code-review.yml

Repository: greenpill-dev-guild/cookie-jar

Length of output: 1814

---

🌐 Web query:

claude-code-action GitHub permissions requirements

💡 Result:

claude-code-action GitHub permission requirements

1) GitHub App permissions (recommended auth)

Your GitHub App (custom app or the official Claude app) needs these Repository permissions:

• Contents: Read & write
• Issues: Read & write
• Pull requests: Read & write [1][2]

2) Workflow permissions: block (GITHUB_TOKEN / job token scopes)

In the workflow that runs anthropics/claude-code-action@v1, set at least:

permissions:
  contents: write
  pull-requests: write
  issues: write

[1]

If you’re using AWS Bedrock or Google Vertex via GitHub OIDC, also add:

  id-token: write

[1]

Sources: Anthropic Claude Code GitHub Actions docs / examples. [1][2]

---

pull-requests, issues, and contents permissions should be write.

The Claude Code Review action requires write access to post review comments and update repository content. The current permissions are insufficient:

• pull-requests: read → should be pull-requests: write
• issues: read → should be issues: write
• contents: read → should be contents: write

Without these permissions, the action will fail when attempting to create review comments on the PR.

Proposed fix

     permissions:
-      contents: read
+      contents: write
-      pull-requests: read
+      pull-requests: write
-      issues: read
+      issues: write
       id-token: write

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	permissions:
	contents: read
	pull-requests: read
	issues: read
	id-token: write
	permissions:
	contents: write
	pull-requests: write
	issues: write
	id-token: write

🤖 Prompt for AI Agents

In @.github/workflows/claude-code-review.yml around lines 22 - 26, Update the
GitHub Actions workflow permissions to grant write access so the Claude Code
Review action can post comments and modify repo state: change the permissions
keys in the workflow from contents: read to contents: write, pull-requests: read
to pull-requests: write, and issues: read to issues: write (the permission
entries shown as contents, pull-requests, and issues should be switched to
write).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's examine the actual workflow file to confirm the code and check for permission checks
cat -n .github/workflows/claude.yml

Repository: greenpill-dev-guild/cookie-jar

Length of output: 2309

---

🏁 Script executed:

# Check if there are any other permission configurations in the workflow
git ls-files ".github/workflows/*.yml" | head -20

Repository: greenpill-dev-guild/cookie-jar

Length of output: 392

---

🏁 Script executed:

# Let's also check if there's documentation or code for the claude-code-action
find . -name "*.yml" -o -name "*.yaml" | xargs grep -l "claude" | head -10

Repository: greenpill-dev-guild/cookie-jar

Length of output: 147

---

🌐 Web query:

GitHub API author_association field issue_comment pull_request_review_comment availability

💡 Result:

REST API (resources)

• Issue comments (/repos/{owner}/{repo}/issues/comments/... and /repos/{owner}/{repo}/issues/{issue_number}/comments): the returned Issue Comment object includes author_association. [1]
• Pull request review comments (/repos/{owner}/{repo}/pulls/comments/... and related list endpoints): the returned Review Comment object includes author_association. [2]

Webhooks (event payloads)

• The issue_comment webhook and pull_request_review_comment webhook are available (repos/orgs/GitHub Apps) and their payloads include a comment object; in practice this comment object includes author_association (matching the REST comment resources). [3]

GraphQL API

• IssueComment has authorAssociation: CommentAuthorAssociation!. [4]
• The GraphQL Comment interface (implemented by types including PullRequestReviewComment) includes authorAssociation. [5]
• CommentAuthorAssociation possible values include: COLLABORATOR, CONTRIBUTOR, FIRST_TIMER, FIRST_TIME_CONTRIBUTOR, MANNEQUIN, MEMBER, NONE, OWNER. [6]

Important gotcha: “Events API” payloads

• GitHub announced that author_association is being removed from multiple GitHub Events API event payload types, including Issue Comment and Pull Request Review Comment events; GitHub notes the data remains available via the main REST API. [7]

Sources:
[1] https://docs.github.com/en/rest/issues/comments (example response includes author_association)
[2] https://docs.github.com/en/rest/pulls/comments (example response includes author_association)
[3] https://docs.github.com/en/webhooks/webhook-events-and-payloads (issue_comment & pull_request_review_comment availability / payload structure)
[4] https://docs.github.com/en/graphql/reference/objects (IssueComment → authorAssociation)
[5] https://docs.github.com/en/enterprise-server@3.18/graphql/reference/interfaces (Comment interface → authorAssociation, implemented by PullRequestReviewComment)
[6] https://docs.github.com/enterprise-cloud@latest/graphql/reference/enums (CommentAuthorAssociation values)
[7] https://github.blog/changelog/2025-08-08-upcoming-changes-to-github-events-api-payloads (Events API removing author_association)

---

🌐 Web query:

GitHub Actions github.event.comment.author_association availability all event types

💡 Result:

github.event.comment.author_association is not available for “all” GitHub Actions event types—only for workflow triggers whose webhook payload includes a top-level comment object (so github.event.comment exists).

Events where github.event.comment.author_association is expected to be present:

• issue_comment (issue/PR issue-style comment) (docs.github.com)
• pull_request_review_comment (diff/inline PR review comment) (docs.github.com)
• commit_comment (comment on a commit) (docs.github.com)
• discussion_comment (comment on a discussion) (docs.github.com)

For other triggers, either there is no comment object, or the “comment-like” object is under a different key (so the path is different, e.g. not github.event.comment.*). In general, github.event in Actions mirrors the event’s webhook payload shape, so you must check the payload schema for the specific on: event you’re using. (docs.github.com)

Related note: GitHub announced removal of author_association from multiple GitHub Events API payloads (including Issue Comment / PR Review Comment / Commit Comment / Discussion, etc.). That announcement is about the Events API, but it’s a sign you shouldn’t assume author_association is universally available everywhere—be prepared to fetch it from the main REST resources if missing. (github.blog)

Citations:

• 1: https://docs.github.com/actions/using-workflows/events-that-trigger-workflows?utm_source=openai
• 2: https://docs.github.com/en/enterprise-cloud%40latest/webhooks/webhook-events-and-payloads?utm_source=openai
• 3: https://docs.github.com/en/enterprise-cloud%40latest/webhooks/webhook-events-and-payloads?utm_source=openai
• 4: https://docs.github.com/en/enterprise-cloud%40latest/webhooks/webhook-events-and-payloads
• 5: https://docs.github.com/en/enterprise-cloud%40latest/webhooks/webhook-events-and-payloads?utm_source=openai
• 6: https://github.blog/changelog/2025-08-08-upcoming-changes-to-github-events-api-payloads?utm_source=openai

---

🏁 Script executed:

# Check if there's any documentation or code in the repo about permissions
rg -i "author_association|collaborator|permission" --type yml --type yaml --type md

Repository: greenpill-dev-guild/cookie-jar

Length of output: 101

---

🌐 Web query:

GitHub webhook payload issues event author_association field issue object

💡 Result:

In the issues webhook event payload, the top-level issue object can include an author_association field (string). For example payloads, see the Octokit/GitHub webhook specs where issue.author_association appears (e.g., "author_association": "OWNER"). [1]

What it means: author_association indicates the relationship/association of the issue’s author to the repository (often described as what permissions/standing the user has with respect to the repo). [2]

Possible values (GitHub’s CommentAuthorAssociation enum): COLLABORATOR, CONTRIBUTOR, FIRST_TIMER, FIRST_TIME_CONTRIBUTOR, MANNEQUIN, MEMBER, NONE, OWNER (with the corresponding definitions in the enum docs). [3]

Note: GitHub’s webhook “issues” docs don’t enumerate every field inside the nested issue object; the most reliable reference for the full shape is the machine-readable webhook schema/spec (Octokit webhooks). [1]

References:
[1] Octokit Webhooks specifications / payload examples (issues event)
[2] GitHub Docs – Issue event types (property description for author_association)
[3] GitHub GraphQL Docs – CommentAuthorAssociation enum values and definitions

---

🌐 Web query:

GitHub webhook payload pull_request_review event author_association review object

💡 Result:

In the pull_request_review webhook payload, the top-level review field is the pull request review object that was affected (for actions like submitted, edited, dismissed). The payload also includes a top-level sender (the GitHub user who triggered the webhook delivery). [1]

Inside the review object, author_association is a string that describes the relationship between the review’s author (review.user) and the repository (e.g., member/collaborator/first-time contributor). You can see author_association as part of the pull request review resource in GitHub’s API schema/example responses. [2]

Possible author_association values (GitHub enum CommentAuthorAssociation) are: COLLABORATOR, CONTRIBUTOR, FIRST_TIMER, FIRST_TIME_CONTRIBUTOR, MANNEQUIN, MEMBER, NONE, OWNER. [3]

Note: GitHub announced removing author_association from Events API payloads (not the same as webhooks) for several event types, including pull request review events. If you’re looking at the Events API rather than webhook deliveries, that may be why it’s missing. [4]

Sources: [1] [2] [3] [4]

---

🌐 Web query:

GitHub Events API removal author_association when does it take effect impact

💡 Result:

When does the removal take effect?
GitHub removed author_association from the GitHub Activity/Events API payloads as part of the Events API payload trimming that was officially implemented on October 7, 2025 (with an initial brownout test on September 8, 2025). Since today is February 12, 2026, this change is already in effect. [1]

What exactly changed?
author_association was removed from these Activity Events API event types: Pull Request, Pull Request Review, Pull Request Review Comment, Issue, Issue Comment, Commit Comment, and Discussion. [1]

Impact (what breaks / what you need to do)

• If your integration used author_association from Events API responses (e.g., to tell whether the actor is OWNER/MEMBER/etc. for moderation, trust signals, prioritization, analytics), that field will now be missing from those event payloads. [1]
• GitHub’s guidance is that there is no loss of data overall—you must fetch the relevant object via the main REST API (issue/PR/comment/discussion endpoints) to get details that were removed from Events payloads. This typically means more follow-up API calls, which can increase latency and can make you more sensitive to rate limits. [1][2]
• GitHub states the motivation is smaller/faster payloads and fresher event availability (events previously could appear with significant delay). [1]

What author_association means (for context)
In GitHub’s REST docs, author_association represents the user’s permissions/relationship to the repository (example given: "OWNER" when the repo owner created a comment). [2]

Sources
[1] GitHub Changelog — “Upcoming changes to GitHub Events API payloads” (Aug 8, 2025; timeline includes Sept 8, 2025 brownout and Oct 7, 2025 implementation)
[2] GitHub Docs — REST “Issue event types” (explains author_association meaning and example)

---

🏁 Script executed:

# Search for any permission checks in the repo related to this workflow
rg -i "author_association|permission.*check|write.*access" --type-list

Repository: greenpill-dev-guild/cookie-jar

Length of output: 463

---

🏁 Script executed:

# Let's check the repo for any GitHub Actions configurations that might restrict access
rg "write" .github/workflows/ -A 2 -B 2

Repository: greenpill-dev-guild/cookie-jar

Length of output: 1407

---

Restrict workflow to authorized users by checking author association.

The if condition lacks permission checks — any GitHub user who can comment on a public issue could trigger Claude to perform actions with the workflow's permissions. All four event types support the author_association field in their payloads, so the proposed fix is technically feasible.

However, note that GitHub deprecated author_association in the Events API (effective October 7, 2025); while this affects the polling Events API, not GitHub Actions webhooks, monitor for future changes to webhook payload formats.

Consider the proposed fix:

Restrict to collaborators

     if: |
-      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
-      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude') &&
+        github.event.comment.author_association != 'NONE') ||
+      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude') &&
+        github.event.comment.author_association != 'NONE') ||
+      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude') &&
+        github.event.review.author_association != 'NONE') ||
+      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) &&
+        github.event.issue.author_association != 'NONE')

For stricter control, replace != 'NONE' with checks for specific associations (== 'MEMBER', == 'OWNER', or == 'COLLABORATOR').

🤖 Prompt for AI Agents

In @.github/workflows/claude.yml around lines 15 - 19, The workflow if-condition
currently only checks for '@claude' in comment/title bodies and must also verify
author_association to restrict who can trigger the job; update the four event
checks that reference github.event.comment.body, github.event.review.body,
github.event.issue.body, and github.event.issue.title to also require the
matching author association field (e.g. github.event.comment.author_association,
github.event.review.author_association, github.event.issue.author_association)
be a trusted value (either != 'NONE' or explicitly one of
'MEMBER'|'OWNER'|'COLLABORATOR' per your desired strictness) so only authorized
users can trigger the workflow.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Same permissions issue: pull-requests and issues need write.

Same as the review workflow — Claude needs write access to post comments.

Proposed fix

     permissions:
       contents: read
-      pull-requests: read
-      issues: read
+      pull-requests: write
+      issues: write
       id-token: write
       actions: read # Required for Claude to read CI results on PRs

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	permissions:
	contents: read
	pull-requests: read
	issues: read
	id-token: write
	actions: read # Required for Claude to read CI results on PRs
	permissions:
	contents: read
	pull-requests: write
	issues: write
	id-token: write
	actions: read # Required for Claude to read CI results on PRs

🤖 Prompt for AI Agents

In @.github/workflows/claude.yml around lines 21 - 26, Update the GitHub Actions
permissions in the permissions block so Claude can post comments: change the
keys pull-requests and issues from read to write (i.e., set pull-requests: write
and issues: write) so the workflow has the necessary write access for
commenting; leave other permissions (contents, id-token, actions) as-is.