Skip to content

Add Claude Code GitHub Workflow #784

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 8, 2025
Merged

Add Claude Code GitHub Workflow #784

merged 2 commits into from
Sep 8, 2025

Conversation

@vim-zz
Copy link
Collaborator

@vim-zz vim-zz commented Sep 8, 2025
edited by gitstream-cm bot
Loading

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

  • Bug fixes and improvements
  • Documentation updates
  • Implementing new features
  • Code reviews and suggestions
  • Writing tests
  • And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

  • This workflow won't take effect until this PR is merged
  • @claude mentions won't work until after the merge is complete
  • The workflow runs automatically whenever Claude is mentioned in PR or issue comments
  • Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

  • Our Anthropic API key is securely stored as a GitHub Actions secret
  • Only users with write access to the repository can trigger the workflow
  • All Claude runs are stored in the GitHub Actions run history
  • Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
  • We can add more allowed tools by adding them to the workflow file like:
allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

✨ PR Description

Purpose: Add GitHub workflow configurations to integrate Claude AI code review capabilities for pull requests and issue interactions.
Main changes:

  • Implemented PR-triggered workflow for automated Claude code reviews with comprehensive evaluation criteria
  • Added comment-triggered workflow enabling Claude assistance via @claude mentions in issues and PR comments
  • Configured necessary permissions and GitHub tools access for both workflows

Generated by LinearB AI and added by gitStream.
AI-generated content may contain inaccuracies. Please verify before using. We'd love your feedback! 🚀

@vim-zz vim-zz requested a review from MishaKav September 8, 2025 11:28
orca-security-us[bot]
orca-security-us bot reviewed Sep 8, 2025
View reviewed changes
Copy link

@orca-security-us orca-security-us bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Orca Security Scan Summary

Status Check Issues by priority
Passed Passed Infrastructure as Code high 0   medium 0   low 0   info 0 View in Orca
Passed Passed SAST high 0   medium 0   low 0   info 0 View in Orca
Passed Passed Secrets high 0   medium 0   low 0   info 0 View in Orca
Passed Passed Vulnerabilities high 0   medium 0   low 0   info 0 View in Orca

gitstream-cm[bot]
gitstream-cm bot reviewed Sep 8, 2025
View reviewed changes
Copy link
Contributor

@gitstream-cm gitstream-cm bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✨ PR Review

The PR adds Claude Code integration workflows that appear well-structured, but there's a critical security concern regarding unrestricted API access for external contributors.

2 issues detected:

🔒 Security - External contributors can trigger expensive API calls without restrictions

Details: The workflow triggers automatically on all pull requests without any filtering, allowing external contributors to potentially abuse the Anthropic API and incur unlimited costs. Any malicious actor can open multiple PRs to exhaust API quotas or generate significant billing charges.
File: .github/workflows/claude-code-review.yml (15-19)

🔒 Security - API calls can run indefinitely without timeout protection

Details: The workflow lacks timeout configurations for the Claude API calls, which could lead to workflows running indefinitely and consuming resources. Long-running workflows can also mask potential abuse attempts.
File: .github/workflows/claude-code-review.yml (21-21)

Generated by LinearB AI and added by gitStream.
AI-generated content may contain inaccuracies. Please verify before using. We'd love your feedback! 🚀

.github/workflows/claude-code-review.yml
Comment on lines +15 to +19
# Optional: Filter by PR author
# if: |
# github.event.pull_request.user.login == 'external-contributor' ||
# github.event.pull_request.user.login == 'new-developer' ||
# github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
Copy link
Contributor

@gitstream-cm gitstream-cm bot Sep 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security - Unrestricted API Access: Uncomment and configure the PR author filter (lines 16-19) to restrict execution to trusted contributors only, or add rate limiting mechanisms and cost controls.

Suggested change
# Optional: Filter by PR author
# if: |
# github.event.pull_request.user.login == 'external-contributor' ||
# github.event.pull_request.user.login == 'new-developer' ||
# github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
# Restrict to trusted contributors only
if: |
github.event.pull_request.author_association == 'OWNER' ||
github.event.pull_request.author_association == 'MEMBER' ||
github.event.pull_request.author_association == 'COLLABORATOR'

.github/workflows/claude-code-review.yml
# github.event.pull_request.user.login == 'new-developer' ||
# github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'

runs-on: ubuntu-latest
Copy link
Contributor

@gitstream-cm gitstream-cm bot Sep 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security - Missing Timeout Controls: Add a timeout configuration to the workflow job (e.g., timeout-minutes: 10) and configure appropriate timeouts in the claude_args parameter.

Suggested change
runs-on: ubuntu-latest
runs-on: ubuntu-latest
timeout-minutes: 10

@gitstream-cm gitstream-cm bot requested a review from a team September 8, 2025 11:29
MishaKav
MishaKav approved these changes Sep 8, 2025
View reviewed changes
Copy link
Collaborator

@MishaKav MishaKav left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lets try 💪

@gitstream-cm gitstream-cm bot requested a review from a team September 8, 2025 11:47
@vim-zz vim-zz merged commit 597b21e into main Sep 8, 2025
19 checks passed
@vim-zz vim-zz deleted the add-claude-github-actions-1757330812840 branch September 8, 2025 11:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gitstream-cm gitstream-cm[bot] gitstream-cm[bot] left review comments

@orca-security-us orca-security-us[bot] orca-security-us[bot] left review comments

@MishaKav MishaKav MishaKav approved these changes

Assignees

No one assigned

Labels

2 Unresolved Thread(s) 5 min review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vim-zz @MishaKav