Integrate Claude Code into development workflows

.github/workflows/claude.yml

@@ -0,0 +1,60 @@
+# Claude Code Assistant Workflow
+#
+# Responds to @claude mentions in issues, pull requests, and review comments.
+#
+# Documentation:
+# - Setup and configuration: <https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md>
+# - Automation patterns: <https://github.com/anthropics/claude-code-action/blob/main/docs/solutions.md>
+# - Custom automations: <https://github.com/anthropics/claude-code-action/blob/main/docs/custom-automations.md>
+# - FAQ and troubleshooting: <https://github.com/anthropics/claude-code-action/blob/main/docs/faq.md>
+#
+# Examples of Claude in action:
+# - <https://github.com/anthropics/claude-code-action/blob/main/.github/workflows/claude.yml>
+# - <https://github.com/anthropics/claude-code-action/pulls>
+
+name: Claude Code
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+  issues:
+    types: [opened, assigned]
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  claude:
+    if: |
+      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
+      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # Needed for Claude to commit code changes and documentation updates
+      pull-requests: write # Needed for Claude to create and update pull requests
+      issues: write # Needed for Claude to create and update issues
+      id-token: write
+      actions: read # Required for Claude to read CI results on PRs
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Run Claude Code
+        id: claude
+        uses: anthropics/claude-code-action@v1
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+
+          # This is an optional setting that allows Claude to read CI results on PRs
+          additional_permissions: |
+            actions: read
+
+          # Enable web research tools for documentation and best practices
+          # Go tooling allows Claude to run tests, build, format, and analyze Go code
+          # See https://docs.claude.com/en/docs/claude-code/cli-reference for available options
+          claude_args: |
+            --allowedTools "Bash(go:*)"
+            --allowedTools "WebSearch,WebFetch"

.github/workflows/dependabot-automerge.yml

@@ -1,19 +1,35 @@
 # Dependabot Auto-merge Workflow
 #
-# Patch updates auto-merge after CI passes. Minor and major updates
-# require human review until LLM-assisted review is available (#5).
+# Patch and minor updates enable auto-merge; major updates require human merge:
+# - Patch: auto-approved (low-risk)
+# - Minor: Claude reviews, approves if acceptable
+# - Major: Claude advises, human must approve and merge
 #
-# Squash commits default to using the PR description as body, but
-# Dependabot PRs include lengthy changelogs and compatibility notes.
-# The merge step overrides the body to keep commit messages clean.
+#   ┌────────────────────────────────────────────────────────────────────┐
+#   │                         Review & Merge                             │
+#   ├────────────────────────────────────────────────────────────────────┤
+#   │ 1. Fetch metadata                                                  │
+#   │ 2. Auto-approve patch ──────────────────────> 5. Auto-merge patch  │
+#   │ 3. Claude review minor ─────────────────────> 6. Auto-merge minor  │
+#   │ 4. Claude review major ─────────────────────> (human merge)        │
+#   └────────────────────────────────────────────────────────────────────┘
+#
+# Squash commits default to using the PR description as body, but Dependabot
+# PRs include lengthy changelogs and compatibility notes. Each step overrides
+# the body to keep commit messages clean.
 
-name: "🤖 Dependabot"
+name: "🤖 ClauDependabot"
 
 on:
+  # Using pull_request (not pull_request_target) because the OIDC approach for
+  # GitHub app impersonation does not appear to work with Dependabot PRs.
+  # See: https://github.com/anthropics/claude-code-action/issues/713
+  #
+  # This means Claude jobs will fail if Dependabot updates this file itself,
+  # but we've minimized actions here to reduce that risk.
   pull_request:
-    branches: [main]
-    # Path filter avoids creating workflow runs for unrelated PRs while
-    # still catching all Dependabot updates (Go modules and Actions).
+    # Path filter avoids creating workflow runs for unrelated PRs while still
+    # catching all Dependabot updates (Go modules and GitHub Actions).
     paths:
       - "go.mod"
       - "go.sum"
@@ -22,9 +38,10 @@ on:
 permissions:
   contents: write # Required by: gh pr merge --auto
   pull-requests: write # Required by: gh pr review --approve
+  id-token: write # Required for Claude to generate GitHub app tokens
 
 jobs:
-  automerge:
+  mergeview:
     name: Review & Merge
     runs-on: ubuntu-latest
     if: github.actor == 'dependabot[bot]'
@@ -43,16 +60,75 @@ jobs:
           PR_URL: ${{ github.event.pull_request.html_url }}
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      # TODO(#5): Review minor updates with Claude before auto-merging.
-      # Once the Claude Code workflow lands, add a step here that uses
-      # claude-code-action to review the diff and approve if acceptable,
-      # followed by an auto-merge step gated on the same condition.
+      - name: Checkout for review
+        uses: actions/checkout@v6
+
+      - name: Review minor
+        if: steps.metadata.outputs.update-type == 'version-update:semver-minor'
+        uses: anthropics/claude-code-action@v1
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          allowed_bots: dependabot
+          prompt: |
+            This is a Dependabot PR for a minor version update.
+
+            Package ecosystem: ${{ steps.metadata.outputs.package-ecosystem }}
+            Dependency: ${{ steps.metadata.outputs.dependency-names }}
+            Update: ${{ steps.metadata.outputs.previous-version }} → ${{ steps.metadata.outputs.new-version }}
+            PR: ${{ github.event.pull_request.html_url }}
+
+            Use `gh pr diff` and `gh pr view` to review the changes.
+
+            Minor updates should be backwards-compatible. However, for v0.x
+            dependencies, minor bumps may contain breaking changes per semver.
+            Review those with extra caution.
+
+            If the changes look reasonable, approve the PR with a message that
+            includes your model identifier (e.g. "Reviewed by claude-sonnet-4-20250514").
+
+            Use: gh pr review --approve --body "your message"
+          claude_args: |
+            --allowedTools "Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr review:*)"
+            --allowedTools "Bash(gh issue:*),Bash(gh search:*),Bash(gh run:*),Bash(gh workflow:*),Bash(gh release:*)"
+            --allowedTools "Bash(go:*),WebFetch,WebSearch"
+            --max-turns 25
+
+      - name: Review major
+        if: steps.metadata.outputs.update-type == 'version-update:semver-major'
+        uses: anthropics/claude-code-action@v1
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          allowed_bots: dependabot
+          prompt: |
+            This is a Dependabot PR for a MAJOR version update.
+
+            Package ecosystem: ${{ steps.metadata.outputs.package-ecosystem }}
+            Dependency: ${{ steps.metadata.outputs.dependency-names }}
+            Update: ${{ steps.metadata.outputs.previous-version }} → ${{ steps.metadata.outputs.new-version }}
+            PR: ${{ github.event.pull_request.html_url }}
+
+            Use `gh pr diff` and `gh pr view` to review the changes.
 
-      # TODO(#5): Analyze major updates with Claude, require human merge.
-      # Major updates may contain breaking changes. The planned step uses
-      # claude-code-action to post a review comment with migration notes
-      # and risk analysis, but does not approve or merge. A human reads
-      # the analysis and decides whether to proceed.
+            Major updates may have breaking changes. Please:
+
+            1. Fetch the dependency's release page and CHANGELOG to understand what changed
+            2. Check the README for migration guides
+            3. Review the codebase for usages of this dependency
+            4. If changes are needed, comment on the PR with suggested fixes
+
+            For github_actions ecosystem specifically:
+            - Review the workflow files in .github/workflows/ that use this action
+            - Check for deprecated inputs, outputs, or runner requirements
+
+            Do NOT approve, merge, or push commits to this PR.
+            Use `gh pr review --comment` to post your analysis and any suggested code changes.
+            IMPORTANT: Place all parameters AFTER --comment (e.g., `gh pr review --comment --body "..." <PR_URL>`).
+          claude_args: |
+            --allowedTools "Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr review --comment:*),Bash(gh pr review -c:*)"
+            --allowedTools "Bash(gh issue:*),Bash(gh search:*),Bash(gh run:*),Bash(gh workflow:*),Bash(gh release:*)"
+            --allowedTools "Bash(go:*),WebFetch,WebSearch"
+            --disallowedTools "Bash(gh pr review --approve:*),Bash(gh pr review -a:*)"
+            --max-turns 50
 
       - name: Auto-merge patch
         if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
@@ -65,3 +141,14 @@ jobs:
             changes carry minimal risk of breaking existing functionality.
 
             Compatibility score: ${{ steps.metadata.outputs.compatibility-score }}%
+
+      - name: Auto-merge minor
+        if: steps.metadata.outputs.update-type == 'version-update:semver-minor'
+        run: gh pr merge --auto --squash "$PR_URL" --body "$BODY"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BODY: |
+            This minor update was reviewed by Claude before merging.
+
+            Compatibility score: ${{ steps.metadata.outputs.compatibility-score }}%