Skip to content

Add Claude Code GitHub Workflow #30

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Oba-One merged 2 commits into from
Feb 12, 2026
Merged

Add Claude Code GitHub Workflow #30

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
856ee35
"Claude PR Assistant workflow"
Oba-One Feb 12, 2026
b1ebaf4
"Claude Code Review workflow"
Oba-One Feb 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions .github/workflows/claude-code-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
name: Claude Code Review

on:
pull_request:
types: [opened, synchronize, ready_for_review, reopened]
# Optional: Only run on specific file changes
# paths:
# - "src/**/*.ts"
# - "src/**/*.tsx"
# - "src/**/*.js"
# - "src/**/*.jsx"

jobs:
claude-review:
# Optional: Filter by PR author
# if: |
# github.event.pull_request.user.login == 'external-contributor' ||
# github.event.pull_request.user.login == 'new-developer' ||
# github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'

runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
issues: read
id-token: write
Comment on lines +22 to +26
Copy link

@coderabbitai coderabbitai bot Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, let's examine the actual workflow file to get full context
git ls-files '.github/workflows/*.yml' | head -20

Repository: greenpill-dev-guild/cookie-jar

Length of output: 392

🏁 Script executed:

# Read the workflow file to see the complete configuration
cat -n .github/workflows/claude-code-review.yml

Repository: greenpill-dev-guild/cookie-jar

Length of output: 1814

🌐 Web query:

claude-code-action GitHub permissions requirements

💡 Result:

claude-code-action GitHub permission requirements

1) GitHub App permissions (recommended auth)

Your GitHub App (custom app or the official Claude app) needs these Repository permissions:

  • Contents: Read & write
  • Issues: Read & write
  • Pull requests: Read & write [1][2]

2) Workflow permissions: block (GITHUB_TOKEN / job token scopes)

In the workflow that runs anthropics/claude-code-action@v1, set at least:

permissions:
  contents: write
  pull-requests: write
  issues: write

[1]

If you’re using AWS Bedrock or Google Vertex via GitHub OIDC, also add:

  id-token: write

[1]

Sources: Anthropic Claude Code GitHub Actions docs / examples. [1][2]

pull-requests, issues, and contents permissions should be write.

The Claude Code Review action requires write access to post review comments and update repository content. The current permissions are insufficient:

  • pull-requests: read → should be pull-requests: write
  • issues: read → should be issues: write
  • contents: read → should be contents: write

Without these permissions, the action will fail when attempting to create review comments on the PR.

Proposed fix 
     permissions:
-      contents: read
+      contents: write
-      pull-requests: read
+      pull-requests: write
-      issues: read
+      issues: write
       id-token: write
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
contents: read
pull-requests: read
issues: read
id-token: write
permissions:
contents: write
pull-requests: write
issues: write
id-token: write
🤖 Prompt for AI Agents 
In @.github/workflows/claude-code-review.yml around lines 22 - 26, Update the
GitHub Actions workflow permissions to grant write access so the Claude Code
Review action can post comments and modify repo state: change the permissions
keys in the workflow from contents: read to contents: write, pull-requests: read
to pull-requests: write, and issues: read to issues: write (the permission
entries shown as contents, pull-requests, and issues should be switched to
write).


steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1

- name: Run Claude Code Review
id: claude-review
uses: anthropics/claude-code-action@v1
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
plugins: 'code-review@claude-code-plugins'
prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'
# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
# or https://code.claude.com/docs/en/cli-reference for available options

50 changes: 50 additions & 0 deletions .github/workflows/claude.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
name: Claude Code

on:
issue_comment:
types: [created]
pull_request_review_comment:
types: [created]
issues:
types: [opened, assigned]
pull_request_review:
types: [submitted]

jobs:
claude:
if: |
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
Comment on lines +15 to +19
Copy link

@coderabbitai coderabbitai bot Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's examine the actual workflow file to confirm the code and check for permission checks
cat -n .github/workflows/claude.yml

Repository: greenpill-dev-guild/cookie-jar

Length of output: 2309

🏁 Script executed:

# Check if there are any other permission configurations in the workflow
git ls-files ".github/workflows/*.yml" | head -20

Repository: greenpill-dev-guild/cookie-jar

Length of output: 392

🏁 Script executed:

# Let's also check if there's documentation or code for the claude-code-action
find . -name "*.yml" -o -name "*.yaml" | xargs grep -l "claude" | head -10

Repository: greenpill-dev-guild/cookie-jar

Length of output: 147

🌐 Web query:

GitHub API author_association field issue_comment pull_request_review_comment availability

💡 Result:

REST API (resources)

  • Issue comments (/repos/{owner}/{repo}/issues/comments/... and /repos/{owner}/{repo}/issues/{issue_number}/comments): the returned Issue Comment object includes author_association. [1]
  • Pull request review comments (/repos/{owner}/{repo}/pulls/comments/... and related list endpoints): the returned Review Comment object includes author_association. [2]

Webhooks (event payloads)

  • The issue_comment webhook and pull_request_review_comment webhook are available (repos/orgs/GitHub Apps) and their payloads include a comment object; in practice this comment object includes author_association (matching the REST comment resources). [3]

GraphQL API

  • IssueComment has authorAssociation: CommentAuthorAssociation!. [4]
  • The GraphQL Comment interface (implemented by types including PullRequestReviewComment) includes authorAssociation. [5]
  • CommentAuthorAssociation possible values include: COLLABORATOR, CONTRIBUTOR, FIRST_TIMER, FIRST_TIME_CONTRIBUTOR, MANNEQUIN, MEMBER, NONE, OWNER. [6]

Important gotcha: “Events API” payloads

  • GitHub announced that author_association is being removed from multiple GitHub Events API event payload types, including Issue Comment and Pull Request Review Comment events; GitHub notes the data remains available via the main REST API. [7]

Sources:
[1] https://docs.github.com/en/rest/issues/comments (example response includes author_association)
[2] https://docs.github.com/en/rest/pulls/comments (example response includes author_association)
[3] https://docs.github.com/en/webhooks/webhook-events-and-payloads (issue_comment & pull_request_review_comment availability / payload structure)
[4] https://docs.github.com/en/graphql/reference/objects (IssueComment → authorAssociation)
[5] https://docs.github.com/en/enterprise-server@3.18/graphql/reference/interfaces (Comment interface → authorAssociation, implemented by PullRequestReviewComment)
[6] https://docs.github.com/enterprise-cloud@latest/graphql/reference/enums (CommentAuthorAssociation values)
[7] https://github.blog/changelog/2025-08-08-upcoming-changes-to-github-events-api-payloads (Events API removing author_association)

🌐 Web query:

GitHub Actions github.event.comment.author_association availability all event types

💡 Result:

github.event.comment.author_association is not available for “all” GitHub Actions event types—only for workflow triggers whose webhook payload includes a top-level comment object (so github.event.comment exists).

Events where github.event.comment.author_association is expected to be present:

For other triggers, either there is no comment object, or the “comment-like” object is under a different key (so the path is different, e.g. not github.event.comment.*). In general, github.event in Actions mirrors the event’s webhook payload shape, so you must check the payload schema for the specific on: event you’re using. (docs.github.com)

Related note: GitHub announced removal of author_association from multiple GitHub Events API payloads (including Issue Comment / PR Review Comment / Commit Comment / Discussion, etc.). That announcement is about the Events API, but it’s a sign you shouldn’t assume author_association is universally available everywhere—be prepared to fetch it from the main REST resources if missing. (github.blog)

Citations:

🏁 Script executed:

# Check if there's any documentation or code in the repo about permissions
rg -i "author_association|collaborator|permission" --type yml --type yaml --type md

Repository: greenpill-dev-guild/cookie-jar

Length of output: 101

🌐 Web query:

GitHub webhook payload issues event author_association field issue object

💡 Result:

In the issues webhook event payload, the top-level issue object can include an author_association field (string). For example payloads, see the Octokit/GitHub webhook specs where issue.author_association appears (e.g., "author_association": "OWNER"). [1]

What it means: author_association indicates the relationship/association of the issue’s author to the repository (often described as what permissions/standing the user has with respect to the repo). [2]

Possible values (GitHub’s CommentAuthorAssociation enum): COLLABORATOR, CONTRIBUTOR, FIRST_TIMER, FIRST_TIME_CONTRIBUTOR, MANNEQUIN, MEMBER, NONE, OWNER (with the corresponding definitions in the enum docs). [3]

Note: GitHub’s webhook “issues” docs don’t enumerate every field inside the nested issue object; the most reliable reference for the full shape is the machine-readable webhook schema/spec (Octokit webhooks). [1]

References:
[1] Octokit Webhooks specifications / payload examples (issues event)
[2] GitHub Docs – Issue event types (property description for author_association)
[3] GitHub GraphQL Docs – CommentAuthorAssociation enum values and definitions

🌐 Web query:

GitHub webhook payload pull_request_review event author_association review object

💡 Result:

In the pull_request_review webhook payload, the top-level review field is the pull request review object that was affected (for actions like submitted, edited, dismissed). The payload also includes a top-level sender (the GitHub user who triggered the webhook delivery). [1]

Inside the review object, author_association is a string that describes the relationship between the review’s author (review.user) and the repository (e.g., member/collaborator/first-time contributor). You can see author_association as part of the pull request review resource in GitHub’s API schema/example responses. [2]

Possible author_association values (GitHub enum CommentAuthorAssociation) are: COLLABORATOR, CONTRIBUTOR, FIRST_TIMER, FIRST_TIME_CONTRIBUTOR, MANNEQUIN, MEMBER, NONE, OWNER. [3]

Note: GitHub announced removing author_association from Events API payloads (not the same as webhooks) for several event types, including pull request review events. If you’re looking at the Events API rather than webhook deliveries, that may be why it’s missing. [4]

Sources: [1] [2] [3] [4]

🌐 Web query:

GitHub Events API removal author_association when does it take effect impact

💡 Result:

When does the removal take effect?
GitHub removed author_association from the GitHub Activity/Events API payloads as part of the Events API payload trimming that was officially implemented on October 7, 2025 (with an initial brownout test on September 8, 2025). Since today is February 12, 2026, this change is already in effect. [1]

What exactly changed?
author_association was removed from these Activity Events API event types: Pull Request, Pull Request Review, Pull Request Review Comment, Issue, Issue Comment, Commit Comment, and Discussion. [1]

Impact (what breaks / what you need to do)

  • If your integration used author_association from Events API responses (e.g., to tell whether the actor is OWNER/MEMBER/etc. for moderation, trust signals, prioritization, analytics), that field will now be missing from those event payloads. [1]
  • GitHub’s guidance is that there is no loss of data overall—you must fetch the relevant object via the main REST API (issue/PR/comment/discussion endpoints) to get details that were removed from Events payloads. This typically means more follow-up API calls, which can increase latency and can make you more sensitive to rate limits. [1][2]
  • GitHub states the motivation is smaller/faster payloads and fresher event availability (events previously could appear with significant delay). [1]

What author_association means (for context)
In GitHub’s REST docs, author_association represents the user’s permissions/relationship to the repository (example given: "OWNER" when the repo owner created a comment). [2]

Sources
[1] GitHub Changelog — “Upcoming changes to GitHub Events API payloads” (Aug 8, 2025; timeline includes Sept 8, 2025 brownout and Oct 7, 2025 implementation)
[2] GitHub Docs — REST “Issue event types” (explains author_association meaning and example)

🏁 Script executed:

# Search for any permission checks in the repo related to this workflow
rg -i "author_association|permission.*check|write.*access" --type-list

Repository: greenpill-dev-guild/cookie-jar

Length of output: 463

🏁 Script executed:

# Let's check the repo for any GitHub Actions configurations that might restrict access
rg "write" .github/workflows/ -A 2 -B 2

Repository: greenpill-dev-guild/cookie-jar

Length of output: 1407

Restrict workflow to authorized users by checking author association.

The if condition lacks permission checks — any GitHub user who can comment on a public issue could trigger Claude to perform actions with the workflow's permissions. All four event types support the author_association field in their payloads, so the proposed fix is technically feasible.

However, note that GitHub deprecated author_association in the Events API (effective October 7, 2025); while this affects the polling Events API, not GitHub Actions webhooks, monitor for future changes to webhook payload formats.

Consider the proposed fix:

Restrict to collaborators 
     if: |
-      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
-      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude') &&
+        github.event.comment.author_association != 'NONE') ||
+      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude') &&
+        github.event.comment.author_association != 'NONE') ||
+      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude') &&
+        github.event.review.author_association != 'NONE') ||
+      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) &&
+        github.event.issue.author_association != 'NONE')

For stricter control, replace != 'NONE' with checks for specific associations (== 'MEMBER', == 'OWNER', or == 'COLLABORATOR').

🤖 Prompt for AI Agents 
In @.github/workflows/claude.yml around lines 15 - 19, The workflow if-condition
currently only checks for '@claude' in comment/title bodies and must also verify
author_association to restrict who can trigger the job; update the four event
checks that reference github.event.comment.body, github.event.review.body,
github.event.issue.body, and github.event.issue.title to also require the
matching author association field (e.g. github.event.comment.author_association,
github.event.review.author_association, github.event.issue.author_association)
be a trusted value (either != 'NONE' or explicitly one of
'MEMBER'|'OWNER'|'COLLABORATOR' per your desired strictness) so only authorized
users can trigger the workflow.

runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
issues: read
id-token: write
actions: read # Required for Claude to read CI results on PRs
Comment on lines +21 to +26
Copy link

@coderabbitai coderabbitai bot Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Same permissions issue: pull-requests and issues need write.

Same as the review workflow — Claude needs write access to post comments.

Proposed fix 
     permissions:
       contents: read
-      pull-requests: read
-      issues: read
+      pull-requests: write
+      issues: write
       id-token: write
       actions: read # Required for Claude to read CI results on PRs
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
contents: read
pull-requests: read
issues: read
id-token: write
actions: read # Required for Claude to read CI results on PRs
permissions:
contents: read
pull-requests: write
issues: write
id-token: write
actions: read # Required for Claude to read CI results on PRs
🤖 Prompt for AI Agents 
In @.github/workflows/claude.yml around lines 21 - 26, Update the GitHub Actions
permissions in the permissions block so Claude can post comments: change the
keys pull-requests and issues from read to write (i.e., set pull-requests: write
and issues: write) so the workflow has the necessary write access for
commenting; leave other permissions (contents, id-token, actions) as-is.

steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1

- name: Run Claude Code
id: claude
uses: anthropics/claude-code-action@v1
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

# This is an optional setting that allows Claude to read CI results on PRs
additional_permissions: |
actions: read
# Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.
# prompt: 'Update the pull request description to include a summary of changes.'

# Optional: Add claude_args to customize behavior and configuration
# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
# or https://code.claude.com/docs/en/cli-reference for available options
# claude_args: '--allowed-tools Bash(gh pr:*)'

Loading