Skip to content

Add Claude Code GitHub Workflow#4

Merged
iamtanbirahmed merged 2 commits into
mainfrom
add-claude-github-actions-1777142366797
Apr 25, 2026
Merged

Add Claude Code GitHub Workflow#4
iamtanbirahmed merged 2 commits into
mainfrom
add-claude-github-actions-1777142366797

Conversation

@iamtanbirahmed

@iamtanbirahmed iamtanbirahmed commented Apr 25, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Owner

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

  • Bug fixes and improvements
  • Documentation updates
  • Implementing new features
  • Code reviews and suggestions
  • Writing tests
  • And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

  • This workflow won't take effect until this PR is merged
  • @claude mentions won't work until after the merge is complete
  • The workflow runs automatically whenever Claude is mentioned in PR or issue comments
  • Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

  • Our Anthropic API key is securely stored as a GitHub Actions secret
  • Only users with write access to the repository can trigger the workflow
  • All Claude runs are stored in the GitHub Actions run history
  • Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
  • We can add more allowed tools by adding them to the workflow file like:
allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

Summary by CodeRabbit

Release Notes

  • Chores
    • Added new GitHub Actions workflow configuration to enable automated integration points in the development pipeline.

@coderabbitai

coderabbitai Bot commented Apr 25, 2026
edited
Loading

Copy link
Copy Markdown

Warning

Rate limit exceeded

@iamtanbirahmed has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 39 minutes and 19 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 39 minutes and 19 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b158bd72-b24c-4316-a52c-03bffd46bb37

📥 Commits

Reviewing files that changed from the base of the PR and between 02e39ff and 6c82d7d.

📒 Files selected for processing (1)
  • .github/workflows/claude.yml
📝 Walkthrough

Walkthrough

A new GitHub Actions workflow is introduced that automatically triggers the Claude Code action when @claude is mentioned in GitHub events. The workflow configures appropriate read permissions for repository contents, grants id-token: write access, and authenticates using an OAuth token from secrets.

Changes

Cohort / File(s) Summary
GitHub Actions Workflow
.github/workflows/claude.yml		 New workflow file that triggers the anthropics/claude-code-action@v1 action on specific GitHub events when @claude is detected. Includes permissions configuration, repository checkout, and OAuth token authentication.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 A rabbit hops with glee so bright,
Claude's workflow joins the GitHub night!
With @claude mentions, swift and true,
Code review magic—shiny new! ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely summarizes the main change: adding a GitHub Actions workflow for Claude Code integration.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch add-claude-github-actions-1777142366797

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot requested changes Apr 25, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (2)
.github/workflows/claude.yml (2)

14-27: Add timeout-minutes and a concurrency group.

A long-running or stuck Claude session can otherwise consume Actions minutes indefinitely, and rapid @claude mentions on the same PR/issue will spawn parallel runs that race each other when updating the tracking comment. Both are cheap to add and standard hardening for LLM-driven jobs.

♻️ Suggested additions 
 jobs:
   claude:
     if: |
       ...
     runs-on: ubuntu-latest
+    timeout-minutes: 30
+    concurrency:
+      group: claude-${{ github.event.issue.number || github.event.pull_request.number || github.ref }}
+      cancel-in-progress: false
     permissions:
       contents: read
       pull-requests: read
       issues: read
       id-token: write
       actions: read # Required for Claude to read CI results on PRs
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude.yml around lines 14 - 27, Add job-level
timeout-minutes and a concurrency group to the claude job to prevent runaway
runs and parallel racing updates: inside the claude job block (the "claude:"
job) add a timeout-minutes value (e.g., 15) and a concurrency key with a stable
per-PR/issue group name (e.g., "claude-${{ github.event.pull_request.number ||
github.event.issue.number }}") so only one claude run per PR/issue can execute
at a time and any stuck run is killed after the timeout.

28-35: Pin third-party actions to immutable commit SHAs.

actions/checkout@v4 and anthropics/claude-code-action@v1 use mutable major-version tags. GitHub's security hardening guidance requires pinning third-party actions to full commit SHAs to prevent supply chain attacks where tags could be moved to malicious code. This is especially important here: the workflow has id-token: write permissions, reads repo contents, and the Anthropic action executes an LLM with broad tool access.

Use the format: uses: owner/repo@<full-40-char-sha> # vX.Y.Z. Tools like Dependabot (with SHA pinning enabled) can automate updates.

🔒 Example pinning pattern 
- name: Checkout repository
  uses: actions/checkout@<full-40-char-sha>  # v4.x.y
  with:
    fetch-depth: 1

- name: Run Claude Code
  id: claude
  uses: anthropics/claude-code-action@<full-40-char-sha>  # v1.x.y
  with:
    claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude.yml around lines 28 - 35, The workflow uses mutable
version tags for third‑party actions (actions/checkout@v4 and
anthropics/claude-code-action@v1); replace those with the full 40‑character
commit SHAs for each action (keeping a trailing comment like "# v4" or "# v1" if
desired) so the steps "Checkout repository" and "Run Claude Code" use immutable
pins, and update any corresponding "with" inputs (e.g., claude_code_oauth_token)
unchanged; you can obtain the exact SHAs from the respective action
repositories/releases or via Dependabot with SHA pinning enabled.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/claude.yml:
- Around line 15-19: The workflow's trigger if-condition currently checks for
'@claude' in various event payloads and lacks an actor guard, causing
self-triggering loops; update the existing if: conditional (the multi-line
expression containing github.event_name checks and contains(..., '@claude')) to
also require github.actor != 'claude[bot]' (or the appropriate bot/app username
for your installation) so the workflow only runs when the actor is not the
Claude bot; keep the actor check combined with the existing conditions using &&
to ensure all original event checks remain intact.

---

Nitpick comments:
In @.github/workflows/claude.yml:
- Around line 14-27: Add job-level timeout-minutes and a concurrency group to
the claude job to prevent runaway runs and parallel racing updates: inside the
claude job block (the "claude:" job) add a timeout-minutes value (e.g., 15) and
a concurrency key with a stable per-PR/issue group name (e.g., "claude-${{
github.event.pull_request.number || github.event.issue.number }}") so only one
claude run per PR/issue can execute at a time and any stuck run is killed after
the timeout.
- Around line 28-35: The workflow uses mutable version tags for third‑party
actions (actions/checkout@v4 and anthropics/claude-code-action@v1); replace
those with the full 40‑character commit SHAs for each action (keeping a trailing
comment like "# v4" or "# v1" if desired) so the steps "Checkout repository" and
"Run Claude Code" use immutable pins, and update any corresponding "with" inputs
(e.g., claude_code_oauth_token) unchanged; you can obtain the exact SHAs from
the respective action repositories/releases or via Dependabot with SHA pinning
enabled.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 12285438-336f-4002-97b4-abee620caeba

📥 Commits

Reviewing files that changed from the base of the PR and between 2ebdc00 and 02e39ff.

📒 Files selected for processing (1)
  • .github/workflows/claude.yml

Comment thread .github/workflows/claude.yml Outdated
@iamtanbirahmed iamtanbirahmed merged commit 1851f3e into main Apr 25, 2026
1 check passed
@iamtanbirahmed iamtanbirahmed deleted the add-claude-github-actions-1777142366797 branch April 25, 2026 19:11
@claude claude Bot mentioned this pull request May 13, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@iamtanbirahmed