Add Claude Code GitHub Workflow

[ericallam]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

[changeset-bot]

⚠️ No Changeset found

Latest commit: ef87695

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

Two new GitHub Actions workflows are added to the repository. The first workflow (claude-code-review.yml) automatically triggers on pull requests and invokes Claude's code review action to analyze code quality, bugs, performance, security, and test coverage. The second workflow (claude.yml) activates on issue comments, pull request review comments, issues, and pull request reviews when mentions of @claude are detected, executing the same code review action. Both workflows use the Claude Opus 4.5 model and configure OAuth token authentication to interact with GitHub APIs.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding GitHub Actions workflows for Claude Code integration.
Description check	✅ Passed	The description is comprehensive and exceeds template requirements with detailed context about Claude Code, security considerations, and usage instructions, though it lacks some optional template sections.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[vibe-kanban-cloud]

Review Complete

Your review story is ready!

View Story

Comment !reviewfast on this PR to re-generate the story.

[cursor]

Insufficient permissions prevent Claude from commenting on PRs

High Severity

The workflow explicitly instructs Claude to use gh pr comment to leave review comments and includes Bash(gh pr comment:*) in allowed tools, but the permissions block only grants pull-requests: read. The gh CLI uses the workflow's GITHUB_TOKEN, which is constrained by these permissions. The command will fail with a 403 error because write access is required. Changing to pull-requests: write is needed for the workflow to function as designed.

 

[cursor]

Read-only permissions block Claude from commenting and committing

High Severity

The PR description states Claude can "create comments, branches, and commits", but the workflow only grants read permissions for contents, pull-requests, and issues. When users mention @claude requesting actions that modify the repository or leave comments, those operations will fail because the GITHUB_TOKEN lacks write access. The permissions need to include write access for the intended operations to work.

 

[cursor]

Assigned event triggers Claude for stale @claude mentions

Medium Severity

The workflow triggers on issues: [opened, assigned] but the if condition on line 19 only checks if github.event.issue.body or title contains @claude. When an issue is assigned, the body/title is unchanged from when it was created. If an issue was created months ago with @claude in the body, assigning that issue today will re-trigger Claude responding to that old mention. The condition is missing a check for github.event.action == 'opened' to distinguish new mentions from stale ones, causing unintended duplicate Claude responses.

 

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI Agents

In @.github/workflows/claude-code-review.yml:
- Around line 22-26: The workflow's permissions block grants only read access to
pull-requests, but the job uses the gh CLI to run "gh pr comment" which requires
write permission; update the permissions section by changing the pull-requests
permission from read to write (i.e., set pull-requests: write) so the "gh pr
comment" command can post comments; ensure the permissions block still includes
contents: read, issues: read, and id-token: write unchanged.

🧹 Nitpick comments (1)

.github/workflows/claude.yml (1)

39-41: Redundant additional_permissions for actions: read.

The actions: read permission is already specified in the job-level permissions on line 26. The additional_permissions input here is redundant.

🔎 Proposed cleanup

-          # This is an optional setting that allows Claude to read CI results on PRs
-          additional_permissions: |
-            actions: read
-
           claude_args: |
             --model claude-opus-4-5-20251101

📜 Review details

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between db0df17 and ef87695.

📒 Files selected for processing (2)

• .github/workflows/claude-code-review.yml
• .github/workflows/claude.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (19)

• GitHub Check: units / internal / 🧪 Unit Tests: Internal (1, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (5, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (6, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (8, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (5, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (2, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (7, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (1, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (3, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (4, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (4, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (3, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (2, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (7, 8)
• GitHub Check: units / packages / 🧪 Unit Tests: Packages (1, 1)
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - npm)
• GitHub Check: typecheck / typecheck
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - pnpm)
• GitHub Check: Cursor Bugbot

🔇 Additional comments (3)

.github/workflows/claude-code-review.yml (1)

34-58: Well-structured action configuration.

The prompt clearly defines review criteria (code quality, bugs, performance, security, test coverage), and the allowed-tools restriction limits Claude to specific gh commands, which is good for security. The explicit model specification ensures consistent behavior.

.github/workflows/claude.yml (2)

21-26: Consider adding write permissions for Claude to respond.

Per the PR description, Claude should be able to "interact with the repository by creating comments, branches, and commits." With only read permissions for contents, pull-requests, and issues, Claude won't be able to post responses or make changes. If Claude should respond to @claude mentions, you'll need write permissions.

Please verify the intended behavior. If Claude should respond with comments:

     permissions:
-      contents: read
-      pull-requests: read
-      issues: read
+      contents: write
+      pull-requests: write
+      issues: write
       id-token: write
       actions: read # Required for Claude to read CI results on PRs

---

15-19: Trigger conditions correctly handle @claude mentions across event types.

The condition properly checks the appropriate body field for each event type (comment.body, review.body, issue.body, issue.title).

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Missing write permission for pull-requests will cause gh pr comment to fail.

The prompt instructs Claude to use gh pr comment (line 52), but the workflow only grants pull-requests: read. The gh pr comment command requires write access to post comments.

🔎 Proposed fix

     permissions:
       contents: read
-      pull-requests: read
+      pull-requests: write
       issues: read
       id-token: write

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	permissions:
	contents: read
	pull-requests: read
	issues: read
	id-token: write
	permissions:
	contents: read
	pull-requests: write
	issues: read
	id-token: write

🤖 Prompt for AI Agents

In @.github/workflows/claude-code-review.yml around lines 22 - 26, The
workflow's permissions block grants only read access to pull-requests, but the
job uses the gh CLI to run "gh pr comment" which requires write permission;
update the permissions section by changing the pull-requests permission from
read to write (i.e., set pull-requests: write) so the "gh pr comment" command
can post comments; ensure the permissions block still includes contents: read,
issues: read, and id-token: write unchanged.