Add Claude Code GitHub Workflow

[tobiase]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

[claude]

Claude finished @tobiase's task —— View job

---

PR Review: Claude Code GitHub Workflow

I've reviewed the GitHub Actions workflows for Claude Code integration. Here's my comprehensive analysis:

Review Tasks:

• Read repository guidelines (CLAUDE.md)
• Analyze claude-code-review.yml workflow
• Analyze claude.yml workflow
• Check security considerations
• Evaluate workflow structure and best practices
• Provide comprehensive feedback

---

✅ Overall Assessment

This PR adds well-structured GitHub Actions workflows for Claude Code integration. The implementation follows GitHub Actions best practices and includes appropriate security controls.

🔧 Technical Analysis

.github/workflows/claude-code-review.yml

• Purpose: Automated code review on PR events
• Trigger: pull_request events (opened, synchronize)
• Permissions: Properly scoped with minimal required permissions
• Review prompt: Comprehensive coverage of code quality, security, performance, and testing

.github/workflows/claude.yml

• Purpose: Interactive Claude responses to @claude mentions
• Trigger: Multiple comment types and issue events
• Conditional logic: Properly filters for @claude mentions
• Permissions: Includes necessary actions: read for CI integration

🔒 Security Review

✅ Strong Security Posture:

• OAuth token properly stored in GitHub secrets
• Permissions follow principle of least privilege
• No hardcoded secrets or credentials
• Uses official Anthropic action (anthropics/claude-code-action@beta)

🔍 Permission Analysis:

• contents: read - Minimal read access to repository
• pull-requests: read - Required for PR context
• issues: read - Required for issue context
• id-token: write - Required for OIDC authentication
• actions: read - Allows CI status integration (claude.yml only)

🚀 Performance & Efficiency

✅ Well-Optimized:

• fetch-depth: 1 minimizes checkout time
• Conditional execution prevents unnecessary runs
• Beta action version for latest features
• Appropriate triggers prevent spam executions

📋 Best Practices Compliance

✅ Follows GitHub Actions Standards:

• Clear workflow names and job descriptions
• Proper YAML structure and indentation
• Comprehensive inline documentation
• Commented examples for customization

💡 Recommendations

1. Pin Action Version (Minor)

# Consider pinning to a specific version for reproducibility
uses: anthropics/claude-code-action@v1.0.0  # instead of @beta

2. Add allowed_tools for Go Project (Enhancement)

Based on CLAUDE.md, consider adding Go-specific tools:

allowed_tools: "Bash(make build),Bash(make test),Bash(make lint),Bash(make test-ci)"

3. Consider Sticky Comments (Enhancement)

For the review workflow, enable sticky comments to avoid comment spam:

use_sticky_comment: true

4. Add Custom Instructions (Enhancement)

The repository has specific conventions in CLAUDE.md that could be referenced:

custom_instructions: |
  Follow the repository's CLAUDE.md guidelines
  Use conventional commit format
  Run make test-ci before committing

🎯 Go-Specific Considerations

The workflows are language-agnostic, which is appropriate. However, considering this is a Go project with specific build/test commands in the Makefile, the allowed_tools enhancement would be valuable for Claude to help with:

• Building: make build
• Testing: make test and make test-ci
• Linting: make lint

🔄 Integration with Existing CI

These workflows complement the existing CI/CD setup without conflicts. They run independently and won't interfere with the current GoReleaser workflow or other automation.

✅ Conclusion

This is a solid implementation that adds valuable AI-powered code review and assistance capabilities. The workflows are secure, well-structured, and follow best practices. The optional enhancements suggested above would further optimize the integration for this specific Go project.

Recommendation: Approve with optional enhancements

---

[tobiase]

@claude Create a PR with the suggestions you made in #8 (comment)

[claude]

Claude finished @tobiase's task —— View job • claude/pr-8-20250710_184856

---

Implementation Status ⚠️

I've successfully implemented all the Claude Code workflow enhancements locally, but encountered a permission limitation when trying to push the changes.

Todo List

• Read repository guidelines (CLAUDE.md)
• Read current workflow files
• Implement suggested enhancements:
  • Pin action version to stable release
  • Add Go-specific allowed_tools
  • Enable sticky comments for review workflow
  • Add custom instructions referencing CLAUDE.md
• Commit changes locally
• ❌ Push changes (blocked by GitHub App permissions)
• Provide enhanced files for manual application

GitHub App Limitation 🚫

! [remote rejected] (refusing to allow a GitHub App to create or update workflow `.github/workflows/claude-code-review.yml` without `workflows` permission)

GitHub Apps cannot modify workflow files without the workflows permission for security reasons.

Enhanced Files 📄

Here are the complete enhanced workflow files with all improvements:

.github/workflows/claude-code-review.yml

name: Claude Code Review

on:
  pull_request:
    types: [opened, synchronize]
    # Optional: Only run on specific file changes
    # paths:
    #   - "src/**/*.ts"
    #   - "src/**/*.tsx"
    #   - "src/**/*.js"
    #   - "src/**/*.jsx"

jobs:
  claude-review:
    # Optional: Filter by PR author
    # if: |
    #   github.event.pull_request.user.login == 'external-contributor' ||
    #   github.event.pull_request.user.login == 'new-developer' ||
    #   github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
    
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: read
      issues: read
      id-token: write
    
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 1

      - name: Run Claude Code Review
        id: claude-review
        uses: anthropics/claude-code-action@v1
        with:
          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

          # Optional: Specify model (defaults to Claude Sonnet 4, uncomment for Claude Opus 4)
          # model: "claude-opus-4-20250514"
          
          # Direct prompt for automated review (no @claude mention needed)
          direct_prompt: |
            Please review this pull request and provide feedback on:
            - Code quality and best practices
            - Potential bugs or issues
            - Performance considerations
            - Security concerns
            - Test coverage
            
            Be constructive and helpful in your feedback.
            
            Follow the repository's CLAUDE.md guidelines for Go development conventions.

          # Use sticky comments to make Claude reuse the same comment on subsequent pushes to the same PR
          use_sticky_comment: true
          
          # Optional: Customize review based on file types
          # direct_prompt: |
          #   Review this PR focusing on:
          #   - For TypeScript files: Type safety and proper interface usage
          #   - For API endpoints: Security, input validation, and error handling
          #   - For React components: Performance, accessibility, and best practices
          #   - For tests: Coverage, edge cases, and test quality
          
          # Optional: Different prompts for different authors
          # direct_prompt: |
          #   ${{ github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR' && 
          #   'Welcome! Please review this PR from a first-time contributor. Be encouraging and provide detailed explanations for any suggestions.' ||
          #   'Please provide a thorough code review focusing on our coding standards and best practices.' }}
          
          # Add specific tools for Go project build and testing
          allowed_tools: "Bash(make build),Bash(make test),Bash(make test-ci),Bash(make lint)"
          
          # Optional: Skip review for certain conditions
          # if: |
          #   !contains(github.event.pull_request.title, '[skip-review]') &&
          #   !contains(github.event.pull_request.title, '[WIP]')

.github/workflows/claude.yml

name: Claude Code

on:
  issue_comment:
    types: [created]
  pull_request_review_comment:
    types: [created]
  issues:
    types: [opened, assigned]
  pull_request_review:
    types: [submitted]

jobs:
  claude:
    if: |
      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: read
      issues: read
      id-token: write
      actions: read # Required for Claude to read CI results on PRs
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 1

      - name: Run Claude Code
        id: claude
        uses: anthropics/claude-code-action@v1
        with:
          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

          # This is an optional setting that allows Claude to read CI results on PRs
          additional_permissions: |
            actions: read
          
          # Optional: Specify model (defaults to Claude Sonnet 4, uncomment for Claude Opus 4)
          # model: "claude-opus-4-20250514"
          
          # Optional: Customize the trigger phrase (default: @claude)
          # trigger_phrase: "/claude"
          
          # Optional: Trigger when specific user is assigned to an issue
          # assignee_trigger: "claude-bot"
          
          # Allow Claude to run Go project specific commands
          allowed_tools: "Bash(make build),Bash(make test),Bash(make test-ci),Bash(make lint)"
          
          # Add custom instructions for Go project following CLAUDE.md guidelines
          custom_instructions: |
            Follow the repository's CLAUDE.md guidelines
            Use conventional commit format
            Run make test-ci before committing
            Focus on Go best practices and worktree management patterns
          
          # Optional: Custom environment variables for Claude
          # claude_env: |
          #   NODE_ENV: test

Key Enhancements Made ✅

1. Action Version Pinning: Changed from @beta to @v1 for stability
2. Go-Specific Tools: Added make build, make test, make test-ci, make lint
3. Sticky Comments: Enabled for review workflow to prevent comment spam
4. Custom Instructions: Added CLAUDE.md guidelines and Go best practices

Next Steps 🔧

To apply these enhancements:

1. Copy the enhanced workflow files above
2. Replace the current workflow files in your repository
3. Commit and push the changes through a regular Git workflow

The enhanced workflows will provide much better Claude Code integration tailored specifically for your Go worktree management project!

---