Add Claude Code GitHub Workflow

[simonheimlicher]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

[claude]

Code Review: Claude Code GitHub Workflow

Thank you for adding Claude Code integration! Here's my analysis based on the repository's standards and best practices:

✅ Strengths

1. Well-structured workflows: Both files follow GitHub Actions best practices with clear job definitions and appropriate permissions
2. Security-conscious: Uses read-only permissions by default with id-token: write only where needed
3. Good documentation: The PR description clearly explains what Claude Code is and how it works
4. Flexible triggers: The main workflow correctly handles multiple event types (issue comments, PR comments, reviews)

🔍 Code Quality & Best Practices

claude-code-review.yml (.github/workflows/claude-code-review.yml:1)

Positive aspects:

• Auto-review on PR open/sync is a great quality gate
• Limited tool permissions via claude_args follow principle of least privilege
• Checkout uses fetch-depth: 1 for performance

Suggestions:

1. Integration with project validation (.github/workflows/claude-code-review.yml:48-50)

   • The prompt asks Claude to use gh pr comment, but doesn't mention the project's strict validation requirements
   • Consider adding a note to remind Claude about npm run validate and npm test requirements from CLAUDE.md

2. Commented-out filters (.github/workflows/claude-code-review.yml:6-10, 14-18)

   • The commented sections are useful examples but might become outdated
   • Consider either removing them if not needed immediately, or adding a comment explaining they're examples

3. Missing validation step

   • The workflow reviews code but doesn't validate the PR passes the project's gates
   • Consider adding a step to run npm run validate && npm test before Claude reviews, so Claude can see CI results

claude.yml (.github/workflows/claude.yml:1)

Positive aspects:

• Comprehensive event triggers cover all interaction points
• Conditional execution prevents unnecessary runs
• Gives Claude access to read CI results (actions: read)

Suggestions:

1. Default allowed tools (.github/workflows/claude.yml:48-49)

   • Unlike the code-review workflow, this has no allowed_tools restriction
   • Security consideration: This gives Claude broad tool access. Consider adding a default allowlist similar to the review workflow, or document that this is intentional

2. No custom prompt (.github/workflows/claude.yml:43-44)

   • The workflow doesn't reference CLAUDE.md by default
   • When users mention @claude without specific instructions, it won't know about the validation requirements

⚠️ Potential Issues

1. Missing CI integration

   • Neither workflow runs the project's test suite or validation
   • If Claude makes code changes via these workflows, those changes won't be validated
   • Risk: Could introduce code that doesn't pass npm run validate

2. No rate limiting

   • Multiple @claude mentions in rapid succession could trigger many concurrent workflows
   • Consider adding concurrency controls

3. Event filtering edge case (.github/workflows/claude.yml:13-19)

   • The condition checks github.event.issue.title but only for issues events with types opened, assigned
   • If an issue is edited to add @claude to the title, it won't trigger
   • Consider adding edited to the issue types if title mentions should be supported

🚀 Performance Considerations

1. Checkout depth: Both workflows use fetch-depth: 1 ✅ - Good for performance
2. Conditional execution: The main workflow has proper conditionals to avoid unnecessary runs ✅
3. Missing caching: No dependency caching, but these workflows don't install dependencies, so not applicable ✅

🔒 Security Concerns

1. Permissions are appropriate: Read-only access with minimal write permissions ✅
2. Token usage: Uses CLAUDE_CODE_OAUTH_TOKEN secret properly ✅
3. Tool restrictions: Code-review workflow limits tools appropriately ✅
4. ⚠️ Main workflow has no tool restrictions: Consider whether this is intentional

📊 Test Coverage

N/A - These are workflow files, not code files requiring tests. However:

• Consider adding a test PR to verify the workflow triggers correctly after merge
• Document in the PR description how you tested these workflows (e.g., in a fork)

---

🎯 Summary & Recommendations

Approval Status: ✅ LGTM with suggestions

The workflows are well-written and follow GitHub Actions best practices. The main concerns are:

High Priority:

1. Add explicit allowed_tools to claude.yml or document why it's intentionally unrestricted
2. Add validation awareness to the prompts (reference CLAUDE.md and validation requirements)

Medium Priority:
3. Consider adding concurrency controls to prevent workflow spam
4. Add a CI validation step before code review to give Claude context on test failures

Low Priority:
5. Clean up or better document the commented-out examples
6. Add edited to issue event types if title mentions should be supported

Great work on the integration! Once merged, this will be a powerful tool for the project. 🎉

[simonheimlicher]

@claude The job runs whenever a comment/body contains @claude, but there is no check on author_association or any other trust signal. That means in a public repo any external commenter can trigger a workflow that uses CLAUDE_CODE_OAUTH_TOKEN, which conflicts with the intended “only users with write access can trigger” behavior and exposes the token to untrusted triggering (cost/abuse risk). Consider gating the if on author_association (e.g., MEMBER, OWNER, COLLABORATOR) or on a pull_request_target/label-based allowlist.

Open a PR to restrict this workflow to be triggered only by human users with write permission on the repository, such as owners, members and collaborators.

[claude]

Claude finished @simonheimlicher's task in 55s —— View job

---

Security Fix: Restrict Workflow to Authorized Users

I've identified the security issue and understand what needs to be fixed. However, I'm unable to modify workflow files directly due to GitHub App permissions.

Todo List:

• Read existing workflow files
• Analyze authorization requirements
• Provide implementation guidance

---

The Security Issue

You're absolutely correct - the current workflows have a critical security vulnerability:

.github/workflows/claude.yml (lines 15-19):

• Currently checks if @claude is mentioned in comments/issues
• Missing: No verification of who triggered the workflow
• Risk: Any external user can trigger workflows that use CLAUDE_CODE_OAUTH_TOKEN

.github/workflows/claude-code-review.yml (lines 14-19):

• Has commented-out authorization logic as an example
• Currently runs on all PRs regardless of author

---

Required Changes

I cannot modify workflow files due to GitHub App permissions, but here's exactly what needs to be changed:

1. Fix claude.yml (lines 15-19)

Current code:

if: |
  (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
  (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
  (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
  (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))

Should be changed to:

if: |
  (
    (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude') && 
     contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association)) ||
    (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude') && 
     contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association)) ||
    (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude') && 
     contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.review.author_association)) ||
    (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) && 
     contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.sender.author_association))
  )

2. Consider Adding Authorization to claude-code-review.yml

While this workflow doesn't use @claude mentions, you may want to restrict auto-reviews to trusted contributors:

Add at line 15-16:

if: |
  contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.pull_request.author_association)

---

How to Apply These Changes

Since I cannot modify workflow files, you have two options:

Option 1: Manual Edit

1. Edit .github/workflows/claude.yml directly in your repository
2. Update the if condition as shown above
3. Optionally update .github/workflows/claude-code-review.yml
4. Commit and push to main

Option 2: Create PR Manually

1. Create a new branch locally
2. Make the changes shown above
3. Push and create a PR for review

---

Why This Matters

Without these checks:

• ❌ Any external user can trigger Claude workflows
• ❌ Token usage can be abused (cost implications)
• ❌ Untrusted users can execute actions in your repo

With these checks:

• ✅ Only OWNER, MEMBER, and COLLABORATOR can trigger workflows
• ✅ Token is protected from unauthorized use
• ✅ Aligns with stated security model: "only users with write access can trigger"

---

Additional Security Recommendations

1. Add concurrency controls to prevent workflow spam:

   concurrency:
     group: claude-${{ github.event.issue.number || github.event.pull_request.number }}
     cancel-in-progress: false

2. Consider rate limiting via GitHub's built-in workflow concurrency limits

3. Monitor workflow usage regularly via GitHub Actions insights

---

I'm unable to complete this implementation due to GitHub App permissions that prevent workflow modifications. The changes above provide a complete solution that you can apply manually or via a separate PR.

---

[simonheimlicher]

@codex: Review commit f2d3f3c and let me know if you spot any remaining security or rate limiting issues.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0de1cfaee2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restrict @claude triggers to trusted actors

This job runs for any issue/PR comment containing @claude without checking author association, which means in a public repo any external user can trigger the workflow and consume the CLAUDE_CODE_OAUTH_TOKEN quota (and potentially prompt the assistant to act on their behalf). That is a security/rate‑limit exposure because it enables untrusted users to burn API credits or spam the automation. Consider gating on github.event.*.author_association (e.g., MEMBER, COLLABORATOR) or otherwise restricting who can invoke the workflow before using the secret.

Useful? React with 👍 / 👎.