Add Claude Code GitHub Workflow

[DTTerastar]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

Summary by CodeRabbit

• Chores
  • Added GitHub Actions workflow to enable Claude integration with comments, issues, and pull request events.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR introduces a GitHub Actions workflow that automatically triggers when developers mention @claude in issues, pull requests, or code reviews. The workflow checks out the repository and invokes the Claude Code action with OAuth credentials to enable Claude-assisted code contributions.

Changes

Claude Code Integration Workflow

Layer / File(s)	Summary
Event Triggers & Conditions .github/workflows/claude.yml (lines 1–13)	Workflow triggers on issue comments, PR review comments, newly opened/assigned issues, and submitted PR reviews, with a guard condition checking for @claude mention in event bodies/titles.
Job Configuration & Permissions .github/workflows/claude.yml (lines 13–27)	Single job (claude) runs on ubuntu-latest with read permissions for repository contents, pull requests, and issues; id-token: write for OIDC; and actions: read for CI result access.
Workflow Steps .github/workflows/claude.yml (lines 28–50)	Checks out the repository with shallow fetch, then invokes anthropics/claude-code-action@v1 with OAuth token credential and additional permissions block for action readability.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add Claude Code GitHub Workflow' directly and accurately describes the main change—adding a new GitHub Actions workflow for Claude Code integration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch add-claude-github-actions-1777938356059

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/claude.yml:
- Around line 8-9: The workflow currently listens to the issues event with types
[opened, assigned] which causes re-runs when an issue is assigned; update the
event config to remove the assigned type so it only triggers on new issues (keep
the issues.types array containing only opened) and ensure any logic that checks
for the `@claude` mention (the condition referenced in the workflow) remains
unchanged so the workflow only executes on initial issue creation or explicit
comment triggers.
- Line 35: Replace the mutable tag "anthropics/claude-code-action@v1" with a
specific commit SHA to pin the action immutably; locate the workflow usage line
that reads uses: anthropics/claude-code-action@v1 and update it to uses:
anthropics/claude-code-action@<COMMIT_SHA> (obtain the desired commit SHA from
the action repository's commits/releases before updating) so the workflow
references an exact immutable revision.
- Around line 15-20: The workflow currently triggers on any `@claude` mention
without verifying the actor's repository association—update the if condition to
require an allowed author_association (e.g., OWNER, MEMBER, or COLLABORATOR) for
the relevant event payloads in addition to the contains(..., '@claude') checks;
specifically add checks using github.event.comment.author_association for
issue_comment and pull_request_review_comment,
github.event.review.user.author_association for pull_request_review (while still
checking github.event.review.body), and github.event.issue.author_association
for issues (and issues.title), and combine each association check with the
existing contains(...) terms so CLAUDE_CODE_OAUTH_TOKEN is only passed when the
mention comes from a trusted association.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 0ecfb691-d4ea-4d17-9eb8-6fd397d270c6

📥 Commits

Reviewing files that changed from the base of the PR and between ee03085 and 107769c.

📒 Files selected for processing (1)

• .github/workflows/claude.yml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

# First, let's find and examine the workflow file
git ls-files | grep -E 'claude\.yml'

Repository: ESPresense/ESPresense-companion

Length of output: 104

---

🏁 Script executed:

# Read the workflow file to see lines 8-9 and 19
cat -n .github/workflows/claude.yml

Repository: ESPresense/ESPresense-companion

Length of output: 2311

---

Drop issues.assigned to prevent unintended re-executions.

The condition on line 19 checks if the @claude mention exists in the issue body or title. When an issue is assigned, the issues.assigned event fires and re-evaluates this condition. If the original issue creation contained the mention, the workflow triggers again even though no new mention was made. Removing assigned ensures the workflow only runs on initial issue creation (when the mention would be new) and on explicit mentions in comments.

Suggested change

   issues:
-    types: [opened, assigned]
+    types: [opened]

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	issues:
	types: [opened, assigned]
	issues:
	types: [opened]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/claude.yml around lines 8 - 9, The workflow currently
listens to the issues event with types [opened, assigned] which causes re-runs
when an issue is assigned; update the event config to remove the assigned type
so it only triggers on new issues (keep the issues.types array containing only
opened) and ensure any logic that checks for the `@claude` mention (the condition
referenced in the workflow) remains unchanged so the workflow only executes on
initial issue creation or explicit comment triggers.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

# Check if the workflow file exists and read it
if [ -f ".github/workflows/claude.yml" ]; then
  echo "=== File found, reading content ==="
  cat -n ".github/workflows/claude.yml"
else
  echo "File not found"
fi

Repository: ESPresense/ESPresense-companion

Length of output: 2347

---

🏁 Script executed:

# Search for any reference to CLAUDE_CODE_OAUTH_TOKEN in the workflow
rg "CLAUDE_CODE_OAUTH_TOKEN" ".github/workflows/"

Repository: ESPresense/ESPresense-companion

Length of output: 178

---

🌐 Web query:

GitHub Actions author_association field availability issue_comment pull_request_review_comment pull_request_review issues event context

💡 Result:

The author_association field is available in the github.event context for GitHub Actions workflows triggered by the specified events, but its location varies by event type. It indicates the author's association with the repository (e.g., OWNER, MEMBER, CONTRIBUTOR, NONE) [1][2][3]. For issues event (issue opened/edited/closed, etc.): - Available as github.event.issue.author_association [4]. For issue_comment event: - Available as github.event.comment.author_association. The comment object in the webhook payload includes author_association, matching the REST API structure for issue comments [2][5][6]. For pull_request_review_comment event: - Available as github.event.comment.author_association. The payload structure mirrors issue_comment, with comment object containing author_association [7][8]. For pull_request_review event: - Available as github.event.review.author_association. Examples use github.event.review.author_association to check permissions [7][9]. No availability issues identified in recent sources (up to 2026); it is standard in these webhook payloads used by GitHub Actions [10][11][12]. Older discussions (e.g., 2020 StackOverflow [13]) noted GraphQL needs, but REST/webhook payloads include it directly. Potential bugs like incorrect values (e.g., CONTRIBUTOR instead of MEMBER) exist but do not affect field availability [4].

Citations:

• 1: https://docs.github.com/en/developers/webhooks-and-events/issue-event-types
• 2: https://docs.github.com/en/rest/using-the-rest-api/issue-event-types?apiVersion=2026-03-10
• 3: https://docs.github.com/enterprise/2.15/developer/v4/enum/commentauthorassociation/
• 4: github.event.issue.author_association returns CONTRIBUTOR when MEMBER is also true actions/github-script#643
• 5: https://docs.github.com/developers/webhooks-and-events/webhooks/webhook-events-and-payloads
• 6: https://docs.github.com/en/rest/issues/comments?apiVersion=2026-03-10
• 7: Support review of pull requests created from forks google-github-actions/run-gemini-cli#191
• 8: https://docs.github.com/en/rest/pulls/comments?apiVersion=2026-03-10
• 9: https://docs.github.com/rest/pulls/reviews
• 10: https://docs.github.com/en/actions/reference/contexts-reference
• 11: https://docs.github.com/developers/webhooks-and-events/webhook-events-and-payloads
• 12: https://docs.github.com/en/rest/using-the-rest-api/github-event-types
• 13: https://stackoverflow.com/questions/63188674/github-actions-detect-author-association

---

Add author-association gating before running Claude.

The current if condition only checks for @claude mentions and does not verify the author's association with the repository. This allows untrusted users (with NONE or CONTRIBUTOR association) to trigger the workflow, at which point line 37 injects CLAUDE_CODE_OAUTH_TOKEN into the job context and passes it to a third-party action.

Suggested hardening

 if: |
-  (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
-  (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
-  (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
-  (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+  (
+    github.event_name == 'issue_comment' &&
+    contains(github.event.comment.body, '@claude') &&
+    contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
+  ) ||
+  (
+    github.event_name == 'pull_request_review_comment' &&
+    contains(github.event.comment.body, '@claude') &&
+    contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
+  ) ||
+  (
+    github.event_name == 'pull_request_review' &&
+    contains(github.event.review.body, '@claude') &&
+    contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association)
+  ) ||
+  (
+    github.event_name == 'issues' &&
+    (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) &&
+    contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association)
+  )

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/claude.yml around lines 15 - 20, The workflow currently
triggers on any `@claude` mention without verifying the actor's repository
association—update the if condition to require an allowed author_association
(e.g., OWNER, MEMBER, or COLLABORATOR) for the relevant event payloads in
addition to the contains(..., '@claude') checks; specifically add checks using
github.event.comment.author_association for issue_comment and
pull_request_review_comment, github.event.review.user.author_association for
pull_request_review (while still checking github.event.review.body), and
github.event.issue.author_association for issues (and issues.title), and combine
each association check with the existing contains(...) terms so
CLAUDE_CODE_OAUTH_TOKEN is only passed when the mention comes from a trusted
association.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

# Check if the file exists and view the content around line 35
if [ -f ".github/workflows/claude.yml" ]; then
  echo "=== File exists. Checking line 35 and context ==="
  cat -n ".github/workflows/claude.yml" | sed -n '30,40p'
else
  echo "=== File does not exist. Searching for similar workflow files ==="
  find .github -name "*.yml" -o -name "*.yaml" 2>/dev/null | head -10
fi

Repository: ESPresense/ESPresense-companion

Length of output: 548

---

🏁 Script executed:

# Search for all GitHub Actions usage in workflow files to check consistency
echo "=== Searching for all 'uses:' statements in workflow files ==="
rg "uses:" .github/workflows/ -n -A 0 2>/dev/null || echo "No matches found"

Repository: ESPresense/ESPresense-companion

Length of output: 1745

---

🌐 Web query:

GitHub Actions best practices pinning actions to commit SHA vs version tags security

💡 Result:

The best practice for GitHub Actions security is to pin actions to a full-length commit SHA rather than version tags. This makes the action immutable, preventing supply chain attacks where tags are moved or rewritten to point to malicious code, as tags can be updated or deleted if the repository is compromised [1][2]. Pinning to SHA mitigates risks because altering a specific commit requires a SHA-1 collision, which is computationally infeasible [1][3][4]. Version tags (e.g., @v4) are more convenient but less secure, as they are mutable and Dependabot alerts do not cover SHA-pinned actions [1][5]. Use tags only for trusted creators with a 'Verified creator' badge, but prefer SHA for high-risk third-party actions [1][3]. GitHub provides organization and repository policies to enforce SHA pinning, blocking workflows that use unpinned actions [1][6][7]. Example: uses: actions/checkout@692973e # v4.0.0 [3][8]. To implement: Verify SHA from the official repo (not forks), add version comments for maintenance, and use tools like Dependabot or scripts for updates [1][6][8][9]. This aligns with GitHub's security hardening guide and recent policy updates as of 2025 [1][7].

Citations:

• 1: https://docs.github.com/en/actions/reference/security/secure-use
• 2: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions?learn=getting_started&learnProduct=actions
• 3: https://www.stepsecurity.io/blog/pinning-github-actions-for-enhanced-security-a-complete-guide
• 4: https://github.com/ihs7/action-sha-pinned-actions
• 5: https://www.reddit.com/r/devops/comments/1n0tl0o/commit_hash_pinning_in_github_actions_secure_but/
• 6: https://dev.to/ciberconscientes/github-actions-why-you-should-pin-your-actions-to-a-specific-version-1513
• 7: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/
• 8: Pin all GitHub Actions to immutable SHA commits for supply chain security github/gh-aw#5691
• 9: https://dev.to/suzukishunsuke/pin-github-actions-to-a-full-length-commit-sha-for-security-2n7p

---

Pin anthropics/claude-code-action to a commit SHA instead of @v1 for supply chain security.

Version tags like @v1 are mutable and can be rewritten or moved without PR visibility, exposing the workflow to upstream changes. Pinning to a specific commit SHA makes the action immutable and prevents tag-based attacks. GitHub's security hardening guide recommends this approach for all actions.

Suggested change

-        uses: anthropics/claude-code-action@v1
+        uses: anthropics/claude-code-action@<pinned_commit_sha> # v1

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/claude.yml at line 35, Replace the mutable tag
"anthropics/claude-code-action@v1" with a specific commit SHA to pin the action
immutably; locate the workflow usage line that reads uses:
anthropics/claude-code-action@v1 and update it to uses:
anthropics/claude-code-action@<COMMIT_SHA> (obtain the desired commit SHA from
the action repository's commits/releases before updating) so the workflow
references an exact immutable revision.