Add Claude Code GitHub Workflow#3
Conversation
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
Summary by CodeRabbit
WalkthroughTwo new GitHub Actions workflows are introduced to integrate Claude code review capabilities. The Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Suggested labels
Important Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional. ❌ Failed checks (1 error)
✅ Passed checks (7 passed)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/claude-code-review.yml:
- Line 36: The workflow currently references the third-party GitHub Action using
a mutable tag "uses: anthropics/claude-code-action@v1"; replace that with the
action's full 40-character commit SHA (e.g. "uses:
anthropics/claude-code-action@<commit-sha>") to pin the dependency and eliminate
supply-chain risk—update the single line containing
anthropics/claude-code-action so it uses the exact commit SHA instead of `@v1`.
In @.github/workflows/claude.yml:
- Around line 8-10: The workflow currently triggers on issue assignment via the
entry "issues: types: [opened, assigned]" which causes duplicate runs; remove
"assigned" so the trigger becomes "issues: types: [opened]" to avoid
retriggering on assignment churn (leave "pull_request_review" unchanged); update
the "issues" types array in the workflow YAML accordingly.
- Around line 15-20: The workflow condition in .github/workflows/claude.yml
currently triggers on any `@claude` mention; change it to also require a trusted
author association so only repository members/owners/collaborators can trigger
secret-backed runs—i.e., extend each mention clause to AND a check for the
event's author association (use github.event.comment.author_association for
comment/pull_request_review_comment, github.event.review.user.login or
github.event.review.user.type/association for pull_request_review, and
github.event.issue.author_association or github.event.issue.user for issues) and
allow only values like "MEMBER", "OWNER", or "COLLABORATOR"; also ensure any
secret usage continues to avoid logging secrets and uses GITHUB_TOKEN where
possible.
- Line 35: Replace the mutable tag usage "uses:
anthropics/claude-code-action@v1" with the action's immutable 40-character
commit SHA (e.g., "uses: anthropics/claude-code-action@<full-commit-sha>");
locate the workflow line containing "uses: anthropics/claude-code-action@v1" in
the workflow file and update it to the corresponding commit SHA for that release
to ensure the third-party action is pinned immutably.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 4c91a103-c7fb-4501-b1c5-ad2bfd7db693
📒 Files selected for processing (2)
.github/workflows/claude-code-review.yml.github/workflows/claude.yml
📜 Review details
⏰ Context from checks skipped due to timeout of 120000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)
- GitHub Check: Agent
- GitHub Check: build (ubuntu-latest)
- GitHub Check: build (macos-latest)
- GitHub Check: build (windows-latest)
🧰 Additional context used
📓 Path-based instructions (1)
.github/**
⚙️ CodeRabbit configuration file
GitHub Actions workflows. Review for: action version pinning (use SHA not tags for third-party actions), proper secret handling (no secrets in logs, use GITHUB_TOKEN where possible), unnecessary workflow triggers, and job dependency correctness. Flag missing concurrency groups on push-triggered workflows. Ensure matrix strategies cover the supported .NET TFMs.
Files:
.github/workflows/claude-code-review.yml.github/workflows/claude.yml
|
|
||
| - name: Run Claude Code Review | ||
| id: claude-review | ||
| uses: anthropics/claude-code-action@v1 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/claude-code-review.yml | sed -n '30,45p'Repository: ANcpLua/ANcpLua.Agents
Length of output: 863
🏁 Script executed:
grep -n "uses:" .github/workflows/claude-code-review.ymlRepository: ANcpLua/ANcpLua.Agents
Length of output: 153
🏁 Script executed:
head -n 50 .github/workflows/claude-code-review.ymlRepository: ANcpLua/ANcpLua.Agents
Length of output: 1499
Pin anthropics/claude-code-action to a commit SHA, not @v1.
Third-party action tags are mutable and create supply-chain risk. Use the full 40-character commit SHA.
Suggested fix
- uses: anthropics/claude-code-action@v1
+ uses: anthropics/claude-code-action@<full-40-char-commit-sha>🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/claude-code-review.yml at line 36, The workflow currently
references the third-party GitHub Action using a mutable tag "uses:
anthropics/claude-code-action@v1"; replace that with the action's full
40-character commit SHA (e.g. "uses:
anthropics/claude-code-action@<commit-sha>") to pin the dependency and eliminate
supply-chain risk—update the single line containing
anthropics/claude-code-action so it uses the exact commit SHA instead of `@v1`.
| issues: | ||
| types: [opened, assigned] | ||
| pull_request_review: |
There was a problem hiding this comment.
Drop issues.assigned; it causes duplicate runs without a new @claude request.
Assignment churn can retrigger this job on old issue text and burn automation cycles.
Suggested fix
issues:
- types: [opened, assigned]
+ types: [opened]As per coding guidelines, .github/** workflows should avoid “unnecessary workflow triggers.”
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/claude.yml around lines 8 - 10, The workflow currently
triggers on issue assignment via the entry "issues: types: [opened, assigned]"
which causes duplicate runs; remove "assigned" so the trigger becomes "issues:
types: [opened]" to avoid retriggering on assignment churn (leave
"pull_request_review" unchanged); update the "issues" types array in the
workflow YAML accordingly.
| if: | | ||
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | ||
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) | ||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
Add trusted-author gating before running Claude.
This condition allows any user who can post @claude to trigger a secret-backed automation path.
Suggested fix
claude:
if: |
- (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
- (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
- (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
- (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+ (
+ (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
+ (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
+ (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
+ (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+ ) &&
+ (
+ (github.event_name == 'issue_comment' && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
+ (github.event_name == 'pull_request_review_comment' && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
+ (github.event_name == 'pull_request_review' && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association)) ||
+ (github.event_name == 'issues' && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association))
+ )As per coding guidelines, .github/** workflows must enforce “proper secret handling (no secrets in logs, use GITHUB_TOKEN where possible)`.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/claude.yml around lines 15 - 20, The workflow condition in
.github/workflows/claude.yml currently triggers on any `@claude` mention; change
it to also require a trusted author association so only repository
members/owners/collaborators can trigger secret-backed runs—i.e., extend each
mention clause to AND a check for the event's author association (use
github.event.comment.author_association for comment/pull_request_review_comment,
github.event.review.user.login or github.event.review.user.type/association for
pull_request_review, and github.event.issue.author_association or
github.event.issue.user for issues) and allow only values like "MEMBER",
"OWNER", or "COLLABORATOR"; also ensure any secret usage continues to avoid
logging secrets and uses GITHUB_TOKEN where possible.
|
|
||
| - name: Run Claude Code | ||
| id: claude | ||
| uses: anthropics/claude-code-action@v1 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/claude.ymlRepository: ANcpLua/ANcpLua.Agents
Length of output: 2302
🌐 Web query:
GitHub Actions third-party action pinning SHA vs tag best practices security
💡 Result:
For GitHub Actions, especially third-party actions, the best security practice is to pin to a full-length commit SHA rather than a tag. SHAs are immutable, preventing supply chain attacks where tags can be force-pushed to malicious commits. Tags like @v1 are mutable and risky unless you fully trust the maintainer. Official GitHub recommendation from docs: "Pin actions to a full-length commit SHA. Pinning an action to a full-length commit SHA is currently the only way to use an action as an immutable release." Use the format: uses: actions/checkout@192f6d4 # v4.1.1 (add comment for readability). For trusted creators (e.g., GitHub's own actions with verified badge), tags may be acceptable for convenience, but SHA is always more secure. GitHub provides org/repo-level policies to enforce SHA pinning (introduced 2025), which checks the full dependency tree including sub-actions. Use Dependabot to auto-update SHA-pinned actions: it creates PRs with new SHAs and version comments. Tools like pin-github-action or ensure-sha-pinned-actions help automate pinning and enforcement. Example workflow step: uses: actions/checkout@192f6d4 # v4.1.1 Avoid @main, @latest, or unpinned tags for third-party actions.
Citations:
- 1: https://docs.github.com/en/actions/reference/security/secure-use
- 2: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/
- 3: https://www.romainlespinasse.dev/posts/github-actions-commit-sha-pinning/
- 4: https://www.stepsecurity.io/blog/pinning-github-actions-for-enhanced-security-a-complete-guide
- 5: https://github.com/ihs7/action-sha-pinned-actions
- 6: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions
- 7: https://docs.github.com/en/actions/how-tos/write-workflows/choose-what-workflows-do/find-and-customize-actions
Pin anthropics/claude-code-action to a commit SHA.
Third-party actions must use immutable commit SHAs, not tags. @v1 is mutable and can be force-pushed to malicious commits. Replace with the full 40-character commit SHA for that release.
Suggested fix
- uses: anthropics/claude-code-action@v1
+ uses: anthropics/claude-code-action@<full-40-char-commit-sha>📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| uses: anthropics/claude-code-action@v1 | |
| uses: anthropics/claude-code-action@abc123def456abc123def456abc123def456abc1 |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/claude.yml at line 35, Replace the mutable tag usage
"uses: anthropics/claude-code-action@v1" with the action's immutable
40-character commit SHA (e.g., "uses:
anthropics/claude-code-action@<full-commit-sha>"); locate the workflow line
containing "uses: anthropics/claude-code-action@v1" in the workflow file and
update it to the corresponding commit SHA for that release to ensure the
third-party action is pinned immutably.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 29b8ae5644
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| contents: read | ||
| pull-requests: read | ||
| issues: read |
There was a problem hiding this comment.
This @claude interactive workflow is configured with read-only contents, pull-requests, and issues, which prevents Claude from performing core actions users will request (posting replies, opening/updating PRs, committing changes). In practice, commands that require repository mutation will fail at runtime even though the workflow is intended for assistant automation.
Useful? React with 👍 / 👎.
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| pull-requests: read |
There was a problem hiding this comment.
The review workflow sets pull-requests: read, but automated code review needs to publish findings back to the PR (inline comments or summary comments). With read-only PR scope, the job can analyze changes but cannot deliver review output to the pull request, which breaks the primary outcome of this workflow.
Useful? React with 👍 / 👎.
| id: claude-review | ||
| uses: anthropics/claude-code-action@v1 | ||
| with: | ||
| claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} |
There was a problem hiding this comment.
This workflow runs on pull_request and unconditionally requires secrets.CLAUDE_CODE_OAUTH_TOKEN; for PRs opened from forks, repository secrets are not provided, so this value is empty and the action fails. That means external-contributor PRs will consistently hit a broken review run unless the job is gated to same-repo branches or migrated to a safe pull_request_target pattern.
Useful? React with 👍 / 👎.
1 participant
🤖 Installing Claude Code GitHub App
This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.
What is Claude Code?
Claude Code is an AI coding agent that can help with:
How it works
Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.
Important Notes
Security
There's more information in the Claude Code action repo.
After merging this PR, let's try mentioning @claude in a comment on any PR to get started!