Add Claude Code GitHub Workflow #66
Conversation
There was a problem hiding this comment.
Pull request overview
This PR modifies an existing Claude Code review workflow to use a plugin-based approach instead of custom prompts. The changes also expand the workflow triggers to include draft PRs being marked ready for review and reopened PRs.
Changes:
- Added
ready_for_reviewandreopenedtrigger types to automatically run reviews on more PR events - Replaced custom multi-line prompt with plugin marketplace configuration
- Migrated from explicit bash tool permissions to a code-review plugin
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| plugin_marketplaces: 'https://github.com/anthropics/claude-code.git' | ||
| plugins: 'code-review@claude-code-plugins' | ||
| prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}' |
There was a problem hiding this comment.
The plugin marketplace URL 'https://github.com/anthropics/claude-code.git' appears to point to a Git repository rather than a plugin marketplace endpoint. The configuration for plugin_marketplaces and plugins fields may not be valid for the claude-code-action@v1. Please verify that this syntax is supported by the action, as the standard documentation for claude-code-action typically doesn't include these fields. If this is a new feature, consider adding a comment explaining the plugin system to help maintainers understand this configuration.
| plugin_marketplaces: 'https://github.com/anthropics/claude-code.git' | ||
| plugins: 'code-review@claude-code-plugins' | ||
| prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}' |
There was a problem hiding this comment.
The prompt format '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}' uses a non-standard syntax that may not be recognized by the claude-code-action. This appears to be attempting to invoke a plugin command, but without documentation or validation that this format is supported, this could cause the workflow to fail. Consider adding inline comments explaining this syntax or verifying this is the correct format for the plugin system.
| prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}' | |
| # Instruct Claude (with the code-review plugin) to review the current pull request. | |
| prompt: > | |
| Please run a code review on the pull request at | |
| https://github.com/${{ github.repository }}/pull/${{ github.event.pull_request.number }}. |
| plugin_marketplaces: 'https://github.com/anthropics/claude-code.git' | ||
| plugins: 'code-review@claude-code-plugins' |
There was a problem hiding this comment.
The removal of claude_args with the allowed-tools specification eliminates explicit control over which bash commands Claude can execute. The previous configuration had granular permissions ('gh issue view', 'gh pr comment', etc.), but the new plugin-based approach doesn't show what tools or permissions the code-review plugin has. This could be a security concern if the plugin has broader permissions than the previous configuration. Consider documenting what permissions the code-review plugin requires and whether this change maintains the same security posture.
| plugin_marketplaces: 'https://github.com/anthropics/claude-code.git' | |
| plugins: 'code-review@claude-code-plugins' | |
| plugin_marketplaces: 'https://github.com/anthropics/claude-code.git' | |
| # Security note: | |
| # - The "code-review@claude-code-plugins" plugin is used only for static code review. | |
| # - It operates via the Claude Code backend using the OAuth token above, with read-only | |
| # access to repository contents, pull request metadata, and issues (see the job | |
| # permissions: contents: read, pull-requests: read, issues: read, id-token: write). | |
| # - This workflow no longer exposes granular "allowed-tools" bash/gh commands directly. | |
| # Instead, the plugin's capabilities are restricted by the Claude Code service and are | |
| # intended to match or be more restrictive than the previous allowed-tools configuration | |
| # (e.g., viewing PRs/issues and posting review comments), without granting arbitrary | |
| # shell or GitHub CLI execution in this runner. | |
| plugins: 'code-review@claude-code-plugins' | |
| # The prompt below invokes the code-review plugin on the target pull request. | |
| # It does not execute local shell commands; all operations are performed by the | |
| # Claude Code service within the permissions described above. |
| on: | ||
| pull_request: | ||
| types: [opened, synchronize] | ||
| types: [opened, synchronize, ready_for_review, reopened] |
There was a problem hiding this comment.
The added trigger type 'ready_for_review' will cause the workflow to run when a draft PR is marked as ready for review. However, this workflow also runs on 'opened' and 'synchronize', which means a typical PR flow could trigger multiple redundant reviews: once when opened (if not a draft), again on each push (synchronize), and potentially again when marked ready for review. Consider whether all these triggers are necessary or if this could lead to excessive Claude API usage and duplicate reviews.
| types: [opened, synchronize, ready_for_review, reopened] | |
| types: [opened, synchronize, reopened] |
🤖 Installing Claude Code GitHub App
This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.
What is Claude Code?
Claude Code is an AI coding agent that can help with:
How it works
Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.
Important Notes
Security
There's more information in the Claude Code action repo.
After merging this PR, let's try mentioning @claude in a comment on any PR to get started!