Add Claude Code GitHub Workflow

[justin808]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

---

Note

Medium Risk
Adds new GitHub Actions that run third-party anthropics/claude-code-action on issue/PR comments and PR events, which can impact CI behavior and relies on a repo secret/OIDC permissions.

Overview
Adds two new GitHub Actions workflows to integrate Claude Code.

claude.yml runs anthropics/claude-code-action@v1 when a user includes @claude in issue comments, PR review comments, PR reviews, or issue title/body, granting read access (plus actions: read) and passing the CLAUDE_CODE_OAUTH_TOKEN secret.

claude-code-review.yml automatically triggers a Claude-powered PR review on PR open/update events using the code-review@claude-code-plugins plugin and a /code-review:code-review prompt.

^{Reviewed by Cursor Bugbot for commit 8edf0ca. Bugbot is set up for automated code reviews on this repo. Configure here.}

Summary by CodeRabbit

• New Features
  • Automated code review system now integrated for pull requests, running automatically on creation, updates, reopening, and when marked ready for review.
  • Comment-triggered code assistance workflow now available for pull requests and issues, activated through specific tagging in comments with optional path and author filtering.

[coderabbitai]

Walkthrough

Two new GitHub Actions workflows are added to integrate Claude Code Review functionality. The first workflow (claude-code-review.yml) automatically runs code reviews on pull request events, while the second (claude.yml) responds to mentions of @claude in comments, issues, and pull request reviews.

Changes

Cohort / File(s)	Summary
Claude Code Review Integration .github/workflows/claude-code-review.yml, .github/workflows/claude.yml	Added GitHub Actions workflows to enable Claude Code Review. First workflow triggers on PR open/sync/reopen/review-ready events. Second workflow triggers on comment creation, issue events, and PR review submission with @claude mentions. Both invoke the anthropics/claude-code-action@v1 action with OAuth token authentication.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A rabbit hops with code in sight,
Claude now reviews with all its might!
On pull requests and comments too,
With @claude mentions, work is through—
Automation flows, the future's bright! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding GitHub Actions workflows for Claude Code integration across two workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch add-claude-github-actions-1776040086551

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8edf0ca38a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Grant write scopes for interactive Claude job

This job is meant to respond to @claude mentions, but the workflow token is restricted to read-only repository, PR, and issue scopes, so Claude cannot post replies/reviews or apply changes back to GitHub. The upstream setup guidance for anthropics/claude-code-action lists Contents/Issues/Pull Requests as minimum Read & Write permissions, so this configuration will cause 403 write failures in normal mention-driven runs.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Allow review workflow token to write PR feedback

The automated review workflow also pins contents, pull-requests, and issues to read-only, which prevents the action from publishing review comments/results to the PR. Because this workflow’s purpose is to run Claude code review against pull requests, lacking write scopes breaks the core outcome (posting feedback), and the action’s own setup/examples require read/write access for these permissions.

Useful? React with 👍 / 👎.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is ON, but it could not run because on-demand usage is turned off. To enable Bugbot Autofix, turn on on-demand usage and set a spend limit in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 8edf0ca. Configure here.}

[cursor]

Insufficient write permissions prevent posting review comments

High Severity

The pull-requests permission is set to read, but the Claude Code Review action needs pull-requests: write to post review comments on pull requests. According to the official anthropics/claude-code-action documentation, the PR review workflow requires write access. This will cause the workflow to silently fail or error when attempting to submit its review.

 

^{Reviewed by Cursor Bugbot for commit 8edf0ca. Configure here.}

[cursor]

Read-only permissions prevent Claude from creating comments and commits

High Severity

The contents, pull-requests, and issues permissions are all set to read, but the interactive Claude workflow needs write access for these. The PR description states Claude's tools include "creating comments, branches, and commits," all of which require write permissions. The official example workflow uses contents: write, pull-requests: write, and issues: write.

 

^{Reviewed by Cursor Bugbot for commit 8edf0ca. Configure here.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/claude.yml (1)

29-35: Pin action references to immutable SHAs.

Line 29 and Line 35 use floating major tags. Prefer commit-SHA pinning to reduce supply-chain risk and make runs reproducible.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude.yml around lines 29 - 35, The workflow uses
floating tags for actions (actions/checkout@v4 and
anthropics/claude-code-action@v1 in the "Run Claude Code" step with id claude);
update both uses to pin to specific immutable commit SHAs (replace `@v4` and `@v1`
with the corresponding full commit SHA values for each action) so the workflow
is reproducible and supply-chain safe; locate the actions by the strings
actions/checkout@v4 and anthropics/claude-code-action@v1 and substitute them
with their verified commit SHA refs (e.g., actions/checkout@<commit-sha>) after
verifying the correct commit on each action's GitHub repo.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/claude-code-review.yml:
- Around line 21-39: The workflow uses secrets.CLAUDE_CODE_OAUTH_TOKEN in the
Run Claude Code Review job and currently runs on pull_request events; add a
fork-guard by adding an if conditional to the job that ensures the job only runs
for non-fork PRs (or non-pull_request events). For example, add an if at the job
level such as if: github.event_name != 'pull_request' ||
github.event.pull_request.head.repo.full_name == github.repository (or compare
github.event.pull_request.head.repo.owner.login == github.repository_owner) so
the job (and the step using claude_code_oauth_token) is skipped for external
forked PRs.

In @.github/workflows/claude.yml:
- Around line 15-20: The trigger condition currently honors any '@claude'
mention; restrict it by adding author_association checks so only trusted actors
(OWNER, MEMBER, COLLABORATOR) can trigger the job: for github.event_name ==
'issue_comment' and 'pull_request_review_comment' check
github.event.comment.author_association, for 'pull_request_review' check
github.event.review.author_association, and for 'issues' check
github.event.issue.author_association; combine each association check with the
existing contains(..., '@claude') predicates so the job will only run when both
the mention and a trusted author_association are present (this prevents
untrusted users from abusing the CLAUDE_CODE_OAUTH_TOKEN secret).

---

Nitpick comments:
In @.github/workflows/claude.yml:
- Around line 29-35: The workflow uses floating tags for actions
(actions/checkout@v4 and anthropics/claude-code-action@v1 in the "Run Claude
Code" step with id claude); update both uses to pin to specific immutable commit
SHAs (replace `@v4` and `@v1` with the corresponding full commit SHA values for each
action) so the workflow is reproducible and supply-chain safe; locate the
actions by the strings actions/checkout@v4 and anthropics/claude-code-action@v1
and substitute them with their verified commit SHA refs (e.g.,
actions/checkout@<commit-sha>) after verifying the correct commit on each
action's GitHub repo.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 343d3a5d-7192-432c-933e-ad11ac26d10c

📥 Commits

Reviewing files that changed from the base of the PR and between cd181e1 and 8edf0ca.

📒 Files selected for processing (2)

• .github/workflows/claude-code-review.yml
• .github/workflows/claude.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/claude-code-review.yml

Repository: shakacode/react-on-django

Length of output: 1809

---

Add fork guard to prevent failed runs from external contributions.

This job uses secrets.CLAUDE_CODE_OAUTH_TOKEN (line 38) but runs on all pull_request events. Forked PRs cannot access repository secrets in GitHub Actions, causing the action to fail when called from external forks. Add a guard to skip the job for forked PRs.

🛠️ Proposed fix

 jobs:
   claude-review:
+    if: ${{ !github.event.pull_request.head.repo.fork }}
     runs-on: ubuntu-latest

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	runs-on: ubuntu-latest
	permissions:
	contents: read
	pull-requests: read
	issues: read
	id-token: write
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	fetch-depth: 1
	- name: Run Claude Code Review
	id: claude-review
	uses: anthropics/claude-code-action@v1
	with:
	claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
	plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
	if: ${{ !github.event.pull_request.head.repo.fork }}
	runs-on: ubuntu-latest
	permissions:
	contents: read
	pull-requests: read
	issues: read
	id-token: write
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	fetch-depth: 1
	- name: Run Claude Code Review
	id: claude-review
	uses: anthropics/claude-code-action@v1
	with:
	claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
	plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude-code-review.yml around lines 21 - 39, The workflow
uses secrets.CLAUDE_CODE_OAUTH_TOKEN in the Run Claude Code Review job and
currently runs on pull_request events; add a fork-guard by adding an if
conditional to the job that ensures the job only runs for non-fork PRs (or
non-pull_request events). For example, add an if at the job level such as if:
github.event_name != 'pull_request' ||
github.event.pull_request.head.repo.full_name == github.repository (or compare
github.event.pull_request.head.repo.owner.login == github.repository_owner) so
the job (and the step using claude_code_oauth_token) is skipped for external
forked PRs.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/claude.yml

Repository: shakacode/react-on-django

Length of output: 2304

---

🌐 Web query:

GitHub Actions author_association event context pull_request_review issue_comment

💡 Result:

In GitHub Actions, the github.event context provides access to the webhook payload for events like pull_request_review and issue_comment. The author_association field indicates the comment author's relationship to the repository (e.g., OWNER, MEMBER, COLLABORATOR, CONTRIBUTOR, FIRST_TIME_CONTRIBUTOR, FIRST_TIMER, NONE, MANNEQUIN). For issue_comment events (comments on issues or PRs): - Access via ${{ github.event.comment.author_association }} - Example from real workflow log: "author_association": "OWNER" For pull_request_review events: - Access via ${{ github.event.review.author_association }} - The review object matches the PullRequestReview REST API schema, which includes author_association. Use in workflows: on: issue_comment: types: [created] jobs: example: if: github.event.comment.author_association == 'OWNER' runs-on: ubuntu-latest steps: - run: echo "Owner commented" on: pull_request_review: types: [submitted] jobs: example: if: github.event.review.author_association == 'MEMBER' runs-on: ubuntu-latest steps: - run: echo "Member reviewed" The full github.event is available for debugging: run: echo '${{ toJSON(github.event) }}'. Primary source: GitHub Docs on contexts [1,6] and webhook payloads [12,16]; confirmed in examples [29].

Citations:

• 1: https://docs.github.com/en/actions/reference/contexts-reference
• 2: https://stackoverflow.com/questions/63188674/github-actions-detect-author-association
• 3: https://docs.github.com/en/rest/using-the-rest-api/issue-event-types
• 4: https://docs.github.com/en/actions/reference/workflows-and-actions/contexts
• 5: https://docs.github.com/en/rest/pulls/reviews?apiVersion=2026-03-10
• 6: https://docs.github.com/en/rest/using-the-rest-api/issue-event-types?apiVersion=2026-03-10
• 7: https://docs.github.com/en/webhooks/webhook-events-and-payloads?actionType=review_requested
• 8: https://docs.github.com/developers/webhooks-and-events/webhooks/webhook-events-and-payloads
• 9: https://docs.github.com/en/rest/issues/comments?apiVersion=2026-03-10
• 10: https://stackoverflow.com/questions/74252630/get-the-login-of-a-user-that-issued-a-comment-on-github-actions

---

🌐 Web query:

GitHub Actions github.event.issue.author_association issues event context

💡 Result:

In GitHub Actions, github.event is the full webhook payload for the triggering event. For workflows triggered by the issues event (e.g., on: issues: types: [opened]), github.event.issue is the issue object from the webhook payload, which includes the author_association field. author_association indicates the level of association the issue's author (user) has with the repository. Possible values are: - NONE: No association. - FIRST_TIMER: Author has not previously committed to GitHub. - FIRST_TIME_CONTRIBUTOR: Author has not previously committed to this repository. - CONTRIBUTOR: Author has previously committed to this repository. - MANNEQUIN: Author is a placeholder for an unclaimed user. - MEMBER: Author is a member of the organization that owns the repository. - COLLABORATOR: Author has been invited to collaborate on the repository. - OWNER: Author is the owner of the repository. Example usage in a workflow: if: github.event.issue.author_association == 'OWNER' || github.event.issue.author_association == 'MEMBER' Note: There may be nuances in org repos where visibility settings affect the value (e.g., CONTRIBUTOR instead of MEMBER if private). As of 2026, author_association remains available in GitHub Actions webhook payloads, though recent changes removed it from some Events API payloads (not affecting Actions). Access via expression: ${{ github.event.issue.author_association }}

Citations:

• 1: https://stackoverflow.com/questions/63188674/github-actions-detect-author-association
• 2: https://docs.github.com/en/actions/reference/contexts-reference
• 3: github.event.issue.author_association returns CONTRIBUTOR when MEMBER is also true actions/github-script#643
• 4: https://docs.github.com/en/rest/using-the-rest-api/issue-event-types?apiVersion=2026-03-10
• 5: https://docs.github.com/en/rest/issues/events
• 6: https://docs.github.com/en/rest/issues/events?apiVersion=2026-03-10

---

🌐 Web query:

GitHub Actions workflow conditions contains fromJSON function syntax

💡 Result:

The fromJSON function in GitHub Actions expressions has the syntax fromJSON(value), where value is a JSON-formatted string. It returns a JSON object or data type (such as boolean, integer, array, or object) parsed from the input string. It is commonly used in workflow conditions (if), step attributes like continue-on-error or timeout-minutes, matrix strategies, and outputs. Examples from official documentation: 1. Converting string env vars to typed values in step conditions: env: continue: true time: 3 steps: - continue-on-error: ${{ fromJSON(env.continue) }} timeout-minutes: ${{ fromJSON(env.time) }} Here, env.continue ("true") becomes boolean true, and env.time ("3") becomes integer 3. 2. Parsing JSON output for matrix in job strategy: jobs: job1: outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} steps: - id: set-matrix run: echo 'matrix={"include":[{"project":"foo","config":"Debug"},{"project":"bar","config":"Release"}]}' >> $GITHUB_OUTPUT job2: needs: job1 strategy: matrix: ${{ fromJSON(needs.job1.outputs.matrix) }} Access properties with dot notation: ${{ fromJSON(needs.step1.outputs.matrix)[0].project }} or index: ${{ fromJSON(env.myjson)['foo2'] }}. For conditions, combine with operators: if: ${{ fromJSON(env.myvar) == true }} or numerical: if: ${{ fromJSON(needs.job.outputs.length) < fromJSON(env.MAX) }}. Note: Inputs to fromJSON must be valid JSON strings; invalid input may cause evaluation errors. Env vars and outputs are strings, so fromJSON converts them to native types for proper comparisons (e.g., numerical or boolean). Official source: GitHub Docs on expressions (updated as of 2024+), covering usage in if conditionals, strategies, and attributes.

Citations:

• 1: https://docs.github.com/actions/reference/workflows-and-actions/expressions
• 2: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/expressions
• 3: https://docs.github.com/en/enterprise-cloud@latest/actions/reference/workflows-and-actions/expressions

---

Add an actor trust gate before honoring @claude mentions.

Lines 15-19 currently allow any user who can comment to trigger the job. Add an author_association check (e.g., OWNER/MEMBER/COLLABORATOR) per event to prevent untrusted-trigger abuse of the CLAUDE_CODE_OAUTH_TOKEN secret on line 37.

🔐 Proposed condition hardening

 jobs:
   claude:
     if: |
-      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
-      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+      (github.event_name == 'issue_comment' &&
+       contains(github.event.comment.body, '@claude') &&
+       contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
+      (github.event_name == 'pull_request_review_comment' &&
+       contains(github.event.comment.body, '@claude') &&
+       contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
+      (github.event_name == 'pull_request_review' &&
+       contains(github.event.review.body, '@claude') &&
+       contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association)) ||
+      (github.event_name == 'issues' &&
+       (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) &&
+       contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association))

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if: |
	(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
	(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
	(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
	(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
	runs-on: ubuntu-latest
	if: |
	(github.event_name == 'issue_comment' &&
	contains(github.event.comment.body, '@claude') &&
	contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
	(github.event_name == 'pull_request_review_comment' &&
	contains(github.event.comment.body, '@claude') &&
	contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
	(github.event_name == 'pull_request_review' &&
	contains(github.event.review.body, '@claude') &&
	contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association)) ||
	(github.event_name == 'issues' &&
	(contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) &&
	contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association))
	runs-on: ubuntu-latest

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude.yml around lines 15 - 20, The trigger condition
currently honors any '@claude' mention; restrict it by adding author_association
checks so only trusted actors (OWNER, MEMBER, COLLABORATOR) can trigger the job:
for github.event_name == 'issue_comment' and 'pull_request_review_comment' check
github.event.comment.author_association, for 'pull_request_review' check
github.event.review.author_association, and for 'issues' check
github.event.issue.author_association; combine each association check with the
existing contains(..., '@claude') predicates so the job will only run when both
the mention and a trusted author_association are present (this prevents
untrusted users from abusing the CLAUDE_CODE_OAUTH_TOKEN secret).