ci: add Claude Code on-demand workflow for PRs#988
Open
Conversation
Adds a GitHub Actions workflow that allows repo collaborators to invoke Claude Code on pull requests and issues by commenting `@claude`. Claude can read code and post review comments but cannot modify files or push changes. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review infoConfiguration used: defaults Review profile: CHILL Plan: Pro 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughA new GitHub Actions workflow is added at Changes
Sequence Diagram(s)sequenceDiagram
participant User
participant GitHub as "GitHub Events"
participant Actions as "GitHub Actions"
participant Repo as "Repository"
participant Claude as "Claude Code Action"
User->>GitHub: Post issue comment / PR review (mentions `@claude`)
GitHub->>Actions: Trigger workflow (.github/workflows/claude.yml)
Actions->>Repo: Resolve PR head SHA (if needed) & checkout (fetch-depth:0)
Actions->>Claude: Run Claude Code with CLAUDE_CODE_OAUTH_TOKEN + claude_args
Claude->>Actions: Return review results
Actions->>GitHub: Post review comment / update PR
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Remove the pull_request and issues triggers that caused the workflow to fire automatically when a PR body or issue title contained '@claude'. The workflow now only triggers on explicit comment mentions. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Collaborator
Author
|
@claude please review this PR |
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/claude.yml:
- Around line 25-28: For issue_comment-triggered runs the workflow must
explicitly checkout the PR head commit SHA instead of relying on
GITHUB_REF/GITHUB_SHA; add a prior step that queries the GitHub API (using
GITHUB_TOKEN, e.g., via actions/github-script or curl) to fetch the pull request
object and extract .head.sha, then pass that SHA into the actions/checkout@v4
step via the ref input (replace the current checkout that depends on
GITHUB_REF/GITHUB_SHA) so the checkout uses ref: <PR_HEAD_SHA> (keep
fetch-depth: 0) to avoid default-branch checkouts and TOCTOU risks.
- Around line 13-16: The current workflow `if` allows any commenter containing
"@claude" to trigger the job; restrict it by adding an `author_association`
guard to the condition so only trusted roles can invoke it (e.g., OWNER, MEMBER,
COLLABORATOR, or OWNER/MEMBER/CONTRIBUTOR as your policy). Update the three
sub-conditions that use contains(github.event.comment.body, '@claude') and
contains(github.event.review.body, '@claude') to also check the corresponding
author association field (github.event.comment.author_association or
github.event.review.author_association) against an allowlist of trusted
associations so external commenters cannot trigger the job.
- Restrict --allowedTools to read-only git subcommands and remove broad gh api:* - Add author_association check to limit triggers to OWNER/MEMBER/COLLABORATOR - Fix issue_comment checkout to use PR head SHA instead of default branch Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Ports the Claude Code GitHub Actions workflow from native-token-transfers#818 to this repo.
.github/workflows/claude.yml— triggers on@claudementions in PR/issue comments, review comments, PR bodies, and issue bodiesanthropics/claude-code-action@v1withclaude-opus-4-6CLAUDE_CODE_OAUTH_TOKENsecret to be configured in repo settingsTest plan
CLAUDE_CODE_OAUTH_TOKENsecret to repo settings@claudeon a PR to verify the workflow triggers and Claude posts a review🤖 Generated with Claude Code
@claude please review this PR
Summary by CodeRabbit