Add Claude Code GitHub Workflow

[donbr]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

[claude]

Pull Request Review: Add Claude Code GitHub Workflow

Summary

This PR adds two GitHub Actions workflows to enable Claude Code integration. Overall, the implementation is solid and follows best practices. I've identified several recommendations to enhance security, functionality, and maintainability.

---

Strengths

1. Well-structured workflows: Clear separation between automated code review and interactive Claude assistance
2. Security-conscious: Uses OAuth token stored as a GitHub secret, appropriate permissions scoping
3. Good documentation: The PR description clearly explains what Claude Code does and how to use it
4. Helpful comments: Inline comments explain optional configurations
5. Appropriate triggers: Code review workflow triggers on PR open/sync; main workflow triggers on @claude mentions

---

Security Considerations

Good Practices

• OAuth token properly stored as GitHub secret
• Minimal permissions granted (read access only, plus id-token: write)
• Limited tool access in code review workflow using --allowed-tools

Critical Issue: Missing write permissions

File: .github/workflows/claude-code-review.yml:22-26

Current permissions only allow reading, but Claude needs to post comments. Add pull-requests: write to allow commenting.

---

Key Recommendations

High Priority (must fix):

1. Add pull-requests: write permission to code review workflow - without this, the automated review won't be able to post comments

Medium Priority (should consider):
2. Add tool restrictions to main Claude workflow for better security
3. Add workflow trigger authorization checks to prevent abuse
4. Add concurrency control to prevent duplicate runs
5. Remove redundant additional_permissions from claude.yml

Low Priority (nice to have):
6. Enable path filtering for code review workflow (only run on src//*.ts, src//*.tsx, etc.)
7. Increase fetch-depth for better PR context
8. Add failure notifications
9. Add secret setup documentation in comments

---

Approval Status

Conditional approval: This PR is well-implemented but requires the permission fix before it will work correctly. Once pull-requests: write is added to the code review workflow, this can be merged safely.

Great work on integrating Claude Code! The workflows are well-structured and the security considerations are thoughtfully addressed.