Add Claude GitHub Actions integration (#9)

iaminawe · claude · web-flow · commit d03e86ea47de · 2025-10-15T20:09:38.000-04:00
* "Claude PR Assistant workflow" * "Claude Code Review workflow" * chore: remove automatic PR review workflow Remove automatic Claude PR review workflow as repository already has a PR reviewer in place. Keep the @claude mention workflow (claude.yml) for on-demand assistance. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: add newline at end of claude.yml Fix linting error by ensuring file ends with a newline. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: trigger on issue edited instead of assigned Change Claude workflow to trigger on issue edit events instead of assignment events for better workflow integration. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * feat: add timeout and concurrency controls to Claude workflow Add safeguards to prevent runaway or duplicate jobs: - Set 10 minute timeout for job execution - Configure concurrency grouping by event type and issue/PR number - Enable cancel-in-progress to stop duplicate runs 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * feat: restrict Claude workflow to authorized users only Add author association checks to ensure only repository owners, members, and collaborators can trigger the Claude workflow. This prevents unauthorized users from triggering potentially expensive or sensitive operations. Changes: - Check author_association for all event types - Require OWNER, MEMBER, or COLLABORATOR status - Add null checks for review and issue bodies 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * security: pin claude-code-action to specific commit SHA Pin action to verified commit SHA instead of mutable tag for supply chain security. This prevents potential attacks where a tag could be moved to malicious code. - Pin to e8bad572273ce919ba15fec95aef0ce974464753 (v1 release) - Add inline comment for version reference 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * refactor: simplify author association checks Replace verbose OR chains with concise contains() + fromJson() pattern for checking author associations. This improves readability and maintainability. Before: Multiple OR conditions for each event type After: contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), author_association) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
@@ -0,0 +1,70 @@
+name: Claude Code
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+  issues:
+    types: [opened, edited]
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  claude:
+    timeout-minutes: 10
+    concurrency:
+      group: claude-${{ github.event_name }}-${{ github.event.issue.number || github.event.pull_request.number || github.run_id }}
+      cancel-in-progress: true
+    if: |
+      (
+        github.event_name == 'issue_comment' &&
+        contains(github.event.comment.body, '@claude') &&
+        contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
+      ) || (
+        github.event_name == 'pull_request_review_comment' &&
+        contains(github.event.comment.body, '@claude') &&
+        contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
+      ) || (
+        github.event_name == 'pull_request_review' &&
+        github.event.review.body != null &&
+        contains(github.event.review.body, '@claude') &&
+        contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association)
+      ) || (
+        github.event_name == 'issues' &&
+        (
+          (github.event.issue.body != null && contains(github.event.issue.body, '@claude')) ||
+          contains(github.event.issue.title, '@claude')
+        ) &&
+        contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association)
+      )
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      issues: read
+      id-token: write
+      actions: read # Required for Claude to read CI results on PRs
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude Code
+        id: claude
+        uses: anthropics/claude-code-action@e8bad572273ce919ba15fec95aef0ce974464753 # v1
+        with:
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+
+          # This is an optional setting that allows Claude to read CI results on PRs
+          additional_permissions: |
+            actions: read
+
+          # Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.
+          # prompt: 'Update the pull request description to include a summary of changes.'
+
+          # Optional: Add claude_args to customize behavior and configuration
+          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
+          # or https://docs.claude.com/en/docs/claude-code/cli-reference for available options
+          # claude_args: '--allowed-tools Bash(gh pr:*)'
