Add Claude Code GitHub Workflow

[domdomegg]

Adds Claude to the GitHub repo, so we can @claude for help summarising what's going on in long issue threads, implementing small things, fixing up stuff based on PR feedback etc.

Open to feedback - would this be useful for others? I think I'd find the claude.yml particularly useful (e.g. able to tag Claude in issues/get it to take a first stab attempt at PRs). I'm not sure about the automatic PR reviews.

Auto-generated PR description from Claude Code

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

[claude]

Claude finished @domdomegg's task —— View job

---

Pull Request Review

I'll review this PR that adds Claude Code GitHub workflows.

Todo List:

• Read and analyze both workflow files
• Review security considerations and permissions
• Check GitHub Actions best practices
• Evaluate workflow logic and triggers
• Provide comprehensive feedback

Analysis Complete - Providing Feedback:

🔍 Overall Assessment

This PR adds two well-structured GitHub workflows for Claude Code integration. The implementation follows GitHub Actions best practices with appropriate permissions and clear separation of concerns.

✅ Strengths

Security & Permissions:

• Proper principle of least privilege with minimal required permissions
• Secure secret handling using ${{ secrets.ANTHROPIC_API_KEY }}
• Uses stable action versions (actions/checkout@v4)
• id-token: write permission follows modern OIDC patterns

Code Quality:

• Clean, well-documented YAML with helpful comments
• Logical separation: claude.yml for interactive use, claude-code-review.yml for automated reviews
• Good use of conditional logic to prevent unnecessary runs
• Comprehensive trigger conditions covering various GitHub events

🛡️ Security Considerations

Excellent security practices:

• No hardcoded secrets or sensitive data
• Minimal permissions scope
• Stable action references (using @v4 and @beta)
• Proper secret management

One minor consideration:

• The workflows grant contents: read but since Claude can make commits/PRs, consider if contents: write might be needed for some use cases (though current setup may be intentional)

📋 Best Practices Compliance

GitHub Actions Standards:

• ✅ Clear job names and descriptions
• ✅ Proper event triggers and conditions
• ✅ Structured YAML formatting
• ✅ Good use of optional configurations via comments
• ✅ Fetch depth optimization (fetch-depth: 1)

⚡ Performance Considerations

• Efficient trigger conditions prevent unnecessary runs
• fetch-depth: 1 minimizes checkout time
• Proper use of conditional logic (if:) to gate execution

🔧 Potential Improvements

1. Documentation: Consider adding a brief comment at the top of each file explaining its purpose
2. Branch Protection: The automated review workflow might benefit from a condition to skip draft PRs:

   if: github.event.pull_request.draft == false

3. Error Handling: Consider what happens if ANTHROPIC_API_KEY secret is missing (workflow will fail gracefully but could be documented)

🧪 Test Coverage

Current State: No direct tests for these workflows (which is normal for GitHub Actions)

Recommendations:

• Consider documenting test scenarios in PR description
• Could add a basic workflow validation via GitHub's workflow syntax checking

🎯 Repository Integration

The workflows integrate well with this Go-based MCP Registry project:

• No language-specific assumptions made
• Generic enough to work with the existing project structure
• Follows the repository's pattern of keeping CI/CD in .github/workflows/

📝 Minor Suggestions

1. claude-code-review.yml line 72: The commented allowed_tools example shows npm commands, but this is a Go project. Consider updating to Go-relevant commands:

   # allowed_tools: "Bash(go test ./...),Bash(make lint),Bash(make build)"

2. claude.yml line 53: Same suggestion for the allowed_tools example

✅ Final Verdict

This is a high-quality implementation that follows security best practices and GitHub Actions conventions. The code is clean, well-documented, and ready for production use. The workflows will provide valuable AI assistance for code reviews and issue management.

Recommendation: Approve ✅

---

[domdomegg]

// splitting this up so we can discuss the two workflows separately

[domdomegg]

Gonna split this up: #231 and #232