-
Notifications
You must be signed in to change notification settings - Fork 0
Add Claude Code GitHub Workflow #82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| name: Claude Code Review | ||
|
|
||
| on: | ||
| pull_request: | ||
| types: [opened, synchronize, ready_for_review, reopened] | ||
| # Optional: Only run on specific file changes | ||
| # paths: | ||
| # - "src/**/*.ts" | ||
| # - "src/**/*.tsx" | ||
| # - "src/**/*.js" | ||
| # - "src/**/*.jsx" | ||
|
|
||
| jobs: | ||
| claude-review: | ||
| # Optional: Filter by PR author | ||
| # if: | | ||
| # github.event.pull_request.user.login == 'external-contributor' || | ||
| # github.event.pull_request.user.login == 'new-developer' || | ||
| # github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR' | ||
|
|
||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| pull-requests: read | ||
| issues: read | ||
| id-token: write | ||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 1 | ||
|
|
||
| - name: Run Claude Code Review | ||
| id: claude-review | ||
| uses: anthropics/claude-code-action@v1 | ||
|
Comment on lines
+30
to
+36
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: #!/bin/bash
# Verify all workflow `uses:` entries are SHA-pinned
rg -nP '^\s*uses:\s*[^@\s]+@(?!(?:[0-9a-f]{40})\b).+' .github/workflows/*.yml
# Expected: no outputRepository: humancto/mango Length of output: 372 🏁 Script executed: # Check for dependabot or policy configuration files
find .github -type f -name "*.yml" -o -name "*.yaml" -o -name "*.json" | head -20Repository: humancto/mango Length of output: 677 🏁 Script executed: # Search for any references to "dependabot-selftest" or SHA pinning policies
rg -i "dependabot-selftest|sha.?pin|immutable" .github/ || echo "No references found"Repository: humancto/mango Length of output: 1135 🏁 Script executed: # Check all other workflows to see if SHA pinning is consistently applied
cat .github/workflows/claude.yml | head -40Repository: humancto/mango Length of output: 1359 🏁 Script executed: # Read the dependabot-selftest.yml to understand the enforcement
cat .github/workflows/dependabot-selftest.ymlRepository: humancto/mango Length of output: 2585 🏁 Script executed: # Also check the dependabot.yml configuration
cat .github/dependabot.ymlRepository: humancto/mango Length of output: 3808 🏁 Script executed: # Verify the test script existence and understand assertion `#15`
head -60 scripts/dependabot-scripts-test.sh | grep -A 5 -B 5 "assertion"Repository: humancto/mango Length of output: 532 🏁 Script executed: # Find assertion `#15` in the test script
rg -n "assertion.?15|uses:" scripts/dependabot-scripts-test.sh | head -30Repository: humancto/mango Length of output: 775 Pin action refs to immutable SHAs to unblock CI and harden supply chain. Lines 30 and 36 use tag-pinned refs ( Suggested fix pattern- uses: actions/checkout@v4
+ uses: actions/checkout@<40-hex-commit-sha> # v4
- uses: anthropics/claude-code-action@v1
+ uses: anthropics/claude-code-action@<40-hex-commit-sha> # v1🧰 Tools🪛 GitHub Actions: dependabot-selftest[error] 30-30: Dependabot scripts check failed: workflow uses are not SHA-pinned with 40-hex. Found 'uses: actions/checkout@v4'. [error] 36-36: Dependabot scripts check failed: workflow uses are not SHA-pinned with 40-hex. Found 'uses: anthropics/claude-code-action@v1'. 🤖 Prompt for AI Agents |
||
| with: | ||
| claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | ||
| plugin_marketplaces: 'https://github.com/anthropics/claude-code.git' | ||
| plugins: 'code-review@claude-code-plugins' | ||
| prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}' | ||
| # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md | ||
| # or https://code.claude.com/docs/en/cli-reference for available options | ||
|
|
||
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,50 @@ | ||||||||||||||||||||||||||||||||||||||||||
| name: Claude Code | ||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||
| on: | ||||||||||||||||||||||||||||||||||||||||||
| issue_comment: | ||||||||||||||||||||||||||||||||||||||||||
| types: [created] | ||||||||||||||||||||||||||||||||||||||||||
| pull_request_review_comment: | ||||||||||||||||||||||||||||||||||||||||||
| types: [created] | ||||||||||||||||||||||||||||||||||||||||||
| issues: | ||||||||||||||||||||||||||||||||||||||||||
| types: [opened, assigned] | ||||||||||||||||||||||||||||||||||||||||||
| pull_request_review: | ||||||||||||||||||||||||||||||||||||||||||
| types: [submitted] | ||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||
| jobs: | ||||||||||||||||||||||||||||||||||||||||||
| claude: | ||||||||||||||||||||||||||||||||||||||||||
| if: | | ||||||||||||||||||||||||||||||||||||||||||
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | ||||||||||||||||||||||||||||||||||||||||||
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | ||||||||||||||||||||||||||||||||||||||||||
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | ||||||||||||||||||||||||||||||||||||||||||
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) | ||||||||||||||||||||||||||||||||||||||||||
| runs-on: ubuntu-latest | ||||||||||||||||||||||||||||||||||||||||||
|
Comment on lines
+15
to
+20
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Add a trusted-actor gate to the Line 15–20 currently allows any user who can comment to invoke the workflow if they mention Suggested fix claude:
if: |
- (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
- (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
- (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
- (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+ (github.event_name == 'issue_comment' &&
+ contains(github.event.comment.body, '@claude') &&
+ contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
+ (github.event_name == 'pull_request_review_comment' &&
+ contains(github.event.comment.body, '@claude') &&
+ contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
+ (github.event_name == 'pull_request_review' &&
+ contains(github.event.review.body, '@claude') &&
+ contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association)) ||
+ (github.event_name == 'issues' &&
+ (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) &&
+ contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association))📝 Committable suggestion
Suggested change
🤖 Prompt for AI Agents |
||||||||||||||||||||||||||||||||||||||||||
| permissions: | ||||||||||||||||||||||||||||||||||||||||||
| contents: read | ||||||||||||||||||||||||||||||||||||||||||
| pull-requests: read | ||||||||||||||||||||||||||||||||||||||||||
| issues: read | ||||||||||||||||||||||||||||||||||||||||||
|
Comment on lines
+22
to
+24
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
The Useful? React with 👍 / 👎. |
||||||||||||||||||||||||||||||||||||||||||
| id-token: write | ||||||||||||||||||||||||||||||||||||||||||
| actions: read # Required for Claude to read CI results on PRs | ||||||||||||||||||||||||||||||||||||||||||
| steps: | ||||||||||||||||||||||||||||||||||||||||||
| - name: Checkout repository | ||||||||||||||||||||||||||||||||||||||||||
| uses: actions/checkout@v4 | ||||||||||||||||||||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||||||||||||||||||||
| fetch-depth: 1 | ||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||
| - name: Run Claude Code | ||||||||||||||||||||||||||||||||||||||||||
| id: claude | ||||||||||||||||||||||||||||||||||||||||||
| uses: anthropics/claude-code-action@v1 | ||||||||||||||||||||||||||||||||||||||||||
|
Comment on lines
+29
to
+35
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: #!/bin/bash
# Verify all workflow `uses:` entries are SHA-pinned
rg -nP '^\s*uses:\s*[^@\s]+@(?!(?:[0-9a-f]{40})\b).+' .github/workflows/*.yml
# Expected: no outputRepository: humancto/mango Length of output: 372 Pin GitHub Actions by full commit SHA (required by current CI policy). Lines 29 and 35 in Suggested fix pattern- - name: Checkout repository
- uses: actions/checkout@v4
+ - name: Checkout repository
+ uses: actions/checkout@<40-hex-commit-sha> # v4
...
- - name: Run Claude Code
- id: claude
- uses: anthropics/claude-code-action@v1
+ - name: Run Claude Code
+ id: claude
+ uses: anthropics/claude-code-action@<40-hex-commit-sha> # v1🧰 Tools🪛 GitHub Actions: dependabot-selftest[error] 29-29: Dependabot scripts check failed: workflow uses are not SHA-pinned with 40-hex. Found 'uses: actions/checkout@v4'. [error] 35-35: Dependabot scripts check failed: workflow uses are not SHA-pinned with 40-hex. Found 'uses: anthropics/claude-code-action@v1'. 🤖 Prompt for AI Agents |
||||||||||||||||||||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||||||||||||||||||||
| claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | ||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||
| # This is an optional setting that allows Claude to read CI results on PRs | ||||||||||||||||||||||||||||||||||||||||||
| additional_permissions: | | ||||||||||||||||||||||||||||||||||||||||||
| actions: read | ||||||||||||||||||||||||||||||||||||||||||
| # Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it. | ||||||||||||||||||||||||||||||||||||||||||
| # prompt: 'Update the pull request description to include a summary of changes.' | ||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||
| # Optional: Add claude_args to customize behavior and configuration | ||||||||||||||||||||||||||||||||||||||||||
| # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md | ||||||||||||||||||||||||||||||||||||||||||
| # or https://code.claude.com/docs/en/cli-reference for available options | ||||||||||||||||||||||||||||||||||||||||||
| # claude_args: '--allowed-tools Bash(gh pr *)' | ||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This workflow configures
pull-requests: read, but the Claude Code review flow is expected to publish PR feedback; with a read-only token, review comments cannot be created, so the automated review run can complete without delivering actionable output. Anthropic’s own automated review examples foranthropics/claude-code-actionusepull-requests: writefor this reason, so this permission setting makes the new review workflow effectively non-functional on real PRs.Useful? React with 👍 / 👎.