Skip to content

Add Claude Code GitHub Workflow#1

Open
dataofmen wants to merge 2 commits into
mainfrom
add-claude-github-actions-1755842634369
Open

Add Claude Code GitHub Workflow#1
dataofmen wants to merge 2 commits into
mainfrom
add-claude-github-actions-1755842634369

Conversation

@dataofmen
Copy link
Copy Markdown
Owner

@dataofmen dataofmen commented Aug 22, 2025
edited by coderabbitai Bot
Loading

πŸ€– Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

  • Bug fixes and improvements
  • Documentation updates
  • Implementing new features
  • Code reviews and suggestions
  • Writing tests
  • And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

  • This workflow won't take effect until this PR is merged
  • @claude mentions won't work until after the merge is complete
  • The workflow runs automatically whenever Claude is mentioned in PR or issue comments
  • Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

  • Our Anthropic API key is securely stored as a GitHub Actions secret
  • Only users with write access to the repository can trigger the workflow
  • All Claude runs are stored in the GitHub Actions run history
  • Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
  • We can add more allowed tools by adding them to the workflow file like:
allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

Summary by CodeRabbit

  • New Features
    • Automated AI code reviews now run on new and updated pull requests, offering feedback on code quality, bugs, performance, security, and test coverage.
    • You can mention @claude in issues or PR review comments to request on-demand assistance; the workflow triggers only when mentioned.

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Aug 22, 2025
edited
Loading

Walkthrough

Adds two GitHub Actions workflows: one runs automated code reviews on pull_request opened/synchronize events; the other runs on-demand when @claude is mentioned in issues, comments, or PR reviews. Both check out the repo and invoke anthropics/claude-code-action@beta with a secret token and optional, commented configuration.

Changes

Cohort / File(s) Summary of Changes
GitHub Actions β€” Claude Code Review
\.github/workflows/claude-code-review.yml		 New workflow "Claude Code Review" triggered by pull_request (opened, synchronize). Defines job claude-review on ubuntu-latest with read permissions and id-token write. Checks out repo (fetch-depth: 1) and runs anthropics/claude-code-action@beta with ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} and a direct review prompt. Includes commented optional settings (model, sticky comments, per-file prompts, authors, tools, skip logic).
GitHub Actions β€” Claude Mentions
\.github/workflows/claude.yml		 New workflow "Claude Code" triggered on issue/PR comments and reviews. Job claude runs when content contains @claude. Grants contents/pull-requests/issues read, id-token write, actions read. Checks out repo and runs anthropics/claude-code-action@beta with token and additional_permissions: actions: read. Commented optional inputs (model, trigger_phrase, assignee_trigger, allowed_tools, custom_instructions, claude_env).

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as GitHub
  participant WF as Workflow: Claude Code Review
  participant Act as claude-code-action
  Dev->>GH: Open / update Pull Request
  GH-->WF: Trigger on pull_request (opened/synchronize)
  WF->>WF: Checkout repository (fetch-depth: 1)
  WF->>Act: Run action with OAuth token + direct_prompt
  Act-->>GH: Post review comments/status (via PR APIs)
Loading 
sequenceDiagram
  autonumber
  actor User as User
  participant GH as GitHub
  participant WF as Workflow: Claude Code
  participant Act as claude-code-action
  User->>GH: Create issue/PR review/comment containing "@claude"
  GH-->WF: Trigger on comment/review/issue events
  alt Condition: content includes @claude
    WF->>WF: Checkout repository (fetch-depth: 1)
    WF->>Act: Run action with token (+ actions:read)
    Act-->>GH: Respond in thread (issue/comment/review)
  else No mention
    WF-->>GH: Skip job
  end
Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

A nibble of YAML, a hop through CI,
I twitch my whiskers at pull requests that fly.
Mention my name, and I bound to the threadβ€”
Reviews I deliver, concise as I tread.
Two workflows planted, carrots in a rowβ€”
Ready, set, merge; watch the garden grow! πŸ₯•πŸ‡

Tip

πŸ”Œ Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches
πŸ§ͺ Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch add-claude-github-actions-1755842634369

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❀️ Share
πŸͺ§ Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

  • Visit our Status Page to check the current availability of CodeRabbit.
  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

coderabbitai[bot]
coderabbitai Bot reviewed Aug 22, 2025
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 7

🧹 Nitpick comments (5)
.github/workflows/claude-code-review.yml (1)

21-21: Add timeout and cancel in-flight runs to control cost/noise.

Large PRs can trigger long runs. Add a timeout and cancel superseded runs per PR.

Apply this diff:

-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    concurrency:
+      group: claude-review-${{ github.event.pull_request.number }}
+      cancel-in-progress: true
.github/workflows/claude.yml (4)

3-11: Avoid duplicate triggers from β€œissues: assigned” unless intentional.

Assigning an issue will retrigger runs if the body/title contains β€œ@claude”, duplicating work. If that’s not desired, drop the assigned type.

Apply this diff:

   issues:
-    types: [opened, assigned]
+    types: [opened]

20-20: Consider timeout and concurrency to tame bursts on popular threads.

Issue/PR threads can generate many @claude mentions rapidly. Add a timeout and concurrency to avoid overlapping work.

Apply this diff:

-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    concurrency:
+      # Group by repository and event to reduce overlapping runs; refine if needed per thread
+      group: claude-mentions-${{ github.repository }}-${{ github.event_name }}
+      cancel-in-progress: true

If you want strict per-thread grouping, I can craft event-specific groups that key off the issue/PR number for each event type.

52-54: Be cautious when enabling allowed_tools; guard by trust context.

Running shell commands like npm install/npm run can execute arbitrary scripts. If you later enable allowed_tools, ensure they only run when the actor has write access and the event is from a trusted context (not forks).

I can add conditional guards that enable tools only for trusted authors or repository == head.repo. Want me to draft that?

28-31: Pin GitHub Actions to Immutable SHAs

To harden your supply chain, pin these third-party actions to their full commit SHAs (as of August 22, 2025):

β€’ File: .github/workflows/claude.yml (lines 28–31)

      - name: Checkout repository
-       uses: actions/checkout@v4
+       uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955
        with:
          fetch-depth: 1

β€’ File: .github/workflows/claude.yml (lines 33–37)

      - name: Run Claude code action
-       uses: anthropics/claude-code-action@beta
+       uses: anthropics/claude-code-action@9f02f6f6d43ec1d1da0f80028250535a057f3f32
        with:
          # …existing inputs…

Pinning by SHA prevents unexpected tag movements and guards against supply-chain attacks.

πŸ“œ Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

πŸ’‘ Knowledge Base configuration:

  • MCP integration is disabled by default for public repositories
  • Jira integration is disabled by default for public repositories
  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

πŸ“₯ Commits

Reviewing files that changed from the base of the PR and between 8a69725 and 85f272f.

πŸ“’ Files selected for processing (2)
  • .github/workflows/claude-code-review.yml (1 hunks)
  • .github/workflows/claude.yml (1 hunks)
🧰 Additional context used
πŸͺ› YAMLlint (1.37.1)
.github/workflows/claude-code-review.yml

[error] 20-20: trailing spaces

(trailing-spaces)

[error] 27-27: trailing spaces

(trailing-spaces)

[error] 51-51: trailing spaces

(trailing-spaces)

[error] 56-56: trailing spaces

(trailing-spaces)

[error] 64-64: trailing spaces

(trailing-spaces)

[error] 67-67: trailing spaces

(trailing-spaces)

[error] 70-70: trailing spaces

(trailing-spaces)

[error] 73-73: trailing spaces

(trailing-spaces)

[warning] 78-78: too many blank lines (1 > 0)

(empty-lines)

.github/workflows/claude.yml

[error] 42-42: trailing spaces

(trailing-spaces)

[error] 45-45: trailing spaces

(trailing-spaces)

[error] 48-48: trailing spaces

(trailing-spaces)

[error] 51-51: trailing spaces

(trailing-spaces)

[error] 54-54: trailing spaces

(trailing-spaces)

[error] 60-60: trailing spaces

(trailing-spaces)

[warning] 64-64: too many blank lines (1 > 0)

(empty-lines)

πŸ”‡ Additional comments (2)
.github/workflows/claude-code-review.yml (2)

44-53: LGTM on the review prompt.

Clear, scoped, and constructive guidance for automated review. Good default.

29-31: Pin GitHub Actions to immutable commit SHAs for supply-chain safety

To ensure your workflows always run the exact code you’ve vetted:

β€’ Replace the floating tag on actions/checkout with its full v4 commit SHA:

- uses: actions/checkout@v4
+ uses: actions/checkout@<LATEST_V4_SHA>  # e.g. 8c7baa5ad8477a5878825a02ca310247d7890c9c

– Find the SHA by visiting https://github.com/actions/checkout/releases/tag/v4 and copying the full-length commit ID.

β€’ Pin anthropics/claude-code-action to its beta commit SHA instead of the tag:

- uses: anthropics/claude-code-action@beta
+ uses: anthropics/claude-code-action@<LATEST_BETA_SHA>  # e.g. ea9291efb6fa3fd95e106a1f8daf4e6aa043c0bd

– Grab this SHA from https://github.com/anthropics/claude-code-action/releases or the beta tag ref.

Updating both lines guards against unreviewed changes if those tags are ever moved or updated.

Comment thread .github/workflows/claude-code-review.yml
Comment on lines +14 to +21
claude-review:
# Optional: Filter by PR author
# if: |
# github.event.pull_request.user.login == 'external-contributor' ||
# github.event.pull_request.user.login == 'new-developer' ||
# github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'

runs-on: ubuntu-latest
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Aug 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

πŸ› οΈ Refactor suggestion

Gate runs on forked PRs or document that forks won’t be auto-reviewed.

Secrets aren’t available to forked PRs on pull_request events, so this job will fail for external contributors. Either restrict execution to same-repo PRs or switch to a more complex pull_request_target pattern (with strict safety constraints).

Apply this diff to only run for same-repo PRs:

   claude-review:
-    # Optional: Filter by PR author
+    # Run only for PRs originating from this repository (secrets are unavailable to forks)
+    if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
+    # Optional: Filter by PR author

If you intend to support forks, I can propose a safe pull_request_target variant that avoids executing untrusted code while still reviewing diffs.

πŸ“ Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
claude-review:
# Optional: Filter by PR author
# if: |
# github.event.pull_request.user.login == 'external-contributor' ||
# github.event.pull_request.user.login == 'new-developer' ||
# github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
runs-on: ubuntu-latest
claude-review:
# Run only for PRs originating from this repository (secrets are unavailable to forks)
if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
# Optional: Filter by PR author
# if: |
# github.event.pull_request.user.login == 'external-contributor' ||
# github.event.pull_request.user.login == 'new-developer' ||
# github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
runs-on: ubuntu-latest
🧰 Tools
πŸͺ› YAMLlint (1.37.1)

[error] 20-20: trailing spaces

(trailing-spaces)

πŸ€– Prompt for AI Agents 
.github/workflows/claude-code-review.yml lines 14-21: the job will run on forked
PRs where secrets are unavailable and will fail for external contributors;
update the workflow to only run for same-repo pull requests (e.g., add an
if-condition that checks the PR is not from a fork or that
github.event.pull_request.head.repo.full_name == github.repository) or, if you
need fork support, switch to a safe pull_request_target pattern that explicitly
limits steps which use repo secrets and only runs untrusted code in a read-only
review sandbox; apply one of these changes so the job no longer attempts to use
secrets on forked PRs.

Comment thread .github/workflows/claude-code-review.yml
# github.event.pull_request.user.login == 'external-contributor' ||
# github.event.pull_request.user.login == 'new-developer' ||
# github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'

Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Aug 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

πŸ’‘ Verification agent

🧩 Analysis chain

Fix YAML lint nits: trailing spaces and extra blank line.

There are trailing spaces on several lines and an extra blank line at the end. Clean them up to keep CI lint quiet.

You can auto-fix with:

-# (remove trailing spaces on the noted lines and drop the extra blank line at EOF)

Or run: yamllint .github/workflows/claude-code-review.yml locally and apply its suggestions.

Also applies to: 27-27, 51-51, 56-56, 64-64, 67-67, 70-70, 73-73, 78-79

🏁 Script executed:

#!/bin/bash
# Verify formatting issues reported by yamllint
yamllint .github/workflows/claude-code-review.yml || true

Length of output: 1327

Fix YAML lint errors in .github/workflows/claude-code-review.yml

The workflow file currently fails yamllint with multiple errors. Please address the following to keep CI green:

β€’ Add the document start marker

  • Line 1: missing --- at top of file
    β€’ Replace non-boolean values with true/false
  • Line 3: truthy value should be one of [false, true]
    β€’ Remove trailing spaces
  • Lines 20, 27, 51, 56, 64, 70, 73
    β€’ Ensure lines do not exceed 80 characters
  • Line 40 (96 chars), 54 (115 chars), 61 (81 chars), 62 (84 chars), 67 (94 chars), 68 (150 chars), 69 (109 chars), 72 (90 chars)
    β€’ Remove the extra blank line at end of file
  • Line 78: too many blank lines (empty‐lines)

You can locally verify and auto-fix many of these with:

yamllint .github/workflows/claude-code-review.yml

…then trim trailing spaces, wrap or shorten long lines, add --- at the top, and replace any non-boolean values accordingly.

🧰 Tools
πŸͺ› YAMLlint (1.37.1)

[error] 20-20: trailing spaces

(trailing-spaces)

πŸ€– Prompt for AI Agents 
.github/workflows/claude-code-review.yml lines 1-78: fix yamllint issues by
adding a document start marker `---` at the top (line 1), replace any
non-boolean truthy values with explicit true/false (line 3), remove trailing
spaces on lines 20, 27, 51, 56, 64, 70, 73, wrap or shorten lines that exceed 80
characters (lines 40, 54, 61, 62, 67, 68, 69, 72) so they stay <=80 chars, and
remove the extra blank line at the end of file (line 78); run `yamllint
.github/workflows/claude-code-review.yml`, trim trailing whitespace, break long
strings into shorter lines or use YAML folded scalars where appropriate, and
ensure the file ends with a single newline.

Comment thread .github/workflows/claude-code-review.yml
Comment on lines +22 to +26
permissions:
contents: read
pull-requests: read
issues: read
id-token: write
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Aug 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

πŸ› οΈ Refactor suggestion

Action cannot comment with read-only permissions; remove unnecessary id-token.

The job likely needs to create or update PR comments. With pull-requests: read and issues: read, it will be unable to post feedback. Also, id-token: write is unnecessary here and should be dropped to keep least privilege.

Apply this diff:

     permissions:
-      contents: read
-      pull-requests: read
-      issues: read
-      id-token: write
+      contents: read
+      pull-requests: write
+      issues: write
+      # id-token not required; remove to reduce privilege
πŸ“ Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
contents: read
pull-requests: read
issues: read
id-token: write
permissions:
contents: read
pull-requests: write
issues: write
# id-token not required; remove to reduce privilege
πŸ€– Prompt for AI Agents 
.github/workflows/claude-code-review.yml lines 22-26: the workflow currently
grants pull-requests: read and id-token: write which prevents the action from
posting PR comments and unnecessarily elevates privileges; change pull-requests
to write so the job can create/update PR comments and remove the id-token: write
entry entirely to follow least-privilege principles.

Comment thread .github/workflows/claude-code-review.yml
Comment on lines +34 to +39
- name: Run Claude Code Review
id: claude-review
uses: anthropics/claude-code-action@beta
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Aug 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

πŸ’‘ Verification agent

🧩 Analysis chain

Confirm secret name and required inputs match the action’s docs.

The input is claude_code_oauth_token. Ensure this is the expected input and your repository secret name matches exactly.

If the action accepts GITHUB_TOKEN for commenting, we can further reduce explicit secrets here.

🌐 Web query:

For anthropics/claude-code-action, what is the exact input name for the required token/secret and what scopes are needed? Is it `claude_code_oauth_token`?

πŸ’‘ Result:

The required input name for the secret/token in anthropics/claude-code-action is api_key, and the secret itself should be set as ANTHROPIC_API_KEY in your GitHub repository or organization secrets[10][4]. The value expected is your raw Anthropic API key, typically beginning with sk-ant-api... and not prefixed with "Bearer"[2][5].

Input/Secret Name:

  • The GitHub Actions input is:
    api_key: ${{ secrets.ANTHROPIC_API_KEY }}[10]
  • The secret must be named ANTHROPIC_API_KEY in your GitHub secrets[4]

There is no reference in any documentation or SDK code to a secret named claude_code_oauth_token for this action. That is not a valid or required input name for the main Claude Code GitHub Action[2][4][10].

Required OAuth Scopes:

  • The API key itself, created in the Anthropic Console, only requires that it is a valid Claude Code API key, which means your Anthropic account must have sufficient billing/setup and the key must not be expired[1][7].
  • No additional custom OAuth scopes must be set on the Anthropic sideβ€”just ensure the API key has access to Claude Code models[3][5].
  • In GitHub, to use repository secrets in Actions, you need read access to secrets and standard "actions" workflow permissions.

Summary Table

Input to Action Value
api_key: ${{ secrets.ANTHROPIC_API_KEY }}
Secret in GitHub ANTHROPIC_API_KEY
Secret value Anthropic API Key raw string (not bearer)
Not used/recognized claude_code_oauth_token
Required Anthropic scopes Access to Claude Code APIs (API key)

Relevant documentation supports only ANTHROPIC_API_KEY as the input name and secret for the action[10][4][7].

Citations:

Update Claude Code Action Input and Secret Name

The anthropics/claude-code-action expects its OAuth key under the input name api_key and the GitHub secret must be named ANTHROPIC_API_KEY. The currently used claude_code_oauth_token input is not recognized by the action and will cause the workflow to fail.

Please update your workflow snippet as follows:

   - name: Run Claude Code Review
     id: claude-review
     uses: anthropics/claude-code-action@beta
     with:
-      claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+      api_key:               ${{ secrets.ANTHROPIC_API_KEY }}

β€’ Rename your repository (or organization) secret from CLAUDE_CODE_OAUTH_TOKEN to ANTHROPIC_API_KEY.
β€’ Ensure the secret value is your raw Anthropic API key (e.g. sk-ant-api…) without any Bearer prefix.

Let me know if you need further assistance in adjusting scopes or permissions.

πŸ“ Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Run Claude Code Review
id: claude-review
uses: anthropics/claude-code-action@beta
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
- name: Run Claude Code Review
id: claude-review
uses: anthropics/claude-code-action@beta
with:
api_key: ${{ secrets.ANTHROPIC_API_KEY }}
πŸ€– Prompt for AI Agents 
In .github/workflows/claude-code-review.yml around lines 34 to 39, the workflow
uses the wrong input name and secret for the anthropics action; change the
action input from claude_code_oauth_token to api_key and update the referenced
secret from CLAUDE_CODE_OAUTH_TOKEN to ANTHROPIC_API_KEY, then create/rename the
repository secret ANTHROPIC_API_KEY to contain the raw Anthropic API key (no
"Bearer" prefix).

Comment thread .github/workflows/claude.yml
Comment on lines +15 to +20
if: |
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
runs-on: ubuntu-latest
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Aug 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Anyone can currently trigger runs by typing @claude; enforce β€œwriters only.”

The PR description says only users with write access can trigger this workflow, but the condition doesn’t enforce that. Add association checks and guard against null bodies.

Apply this diff:

-    if: |
-      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
-      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+    if: |
+      (
+        github.event_name == 'issue_comment' &&
+        (github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'COLLABORATOR') &&
+        github.event.comment.body != '' &&
+        contains(github.event.comment.body, '@claude')
+      ) ||
+      (
+        github.event_name == 'pull_request_review_comment' &&
+        (github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'COLLABORATOR') &&
+        github.event.comment.body != '' &&
+        contains(github.event.comment.body, '@claude')
+      ) ||
+      (
+        github.event_name == 'pull_request_review' &&
+        (github.event.review.author_association == 'MEMBER' || github.event.review.author_association == 'OWNER' || github.event.review.author_association == 'COLLABORATOR') &&
+        github.event.review.body != '' &&
+        contains(github.event.review.body, '@claude')
+      ) ||
+      (
+        github.event_name == 'issues' &&
+        (github.event.issue.author_association == 'MEMBER' || github.event.issue.author_association == 'OWNER' || github.event.issue.author_association == 'COLLABORATOR') &&
+        (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))
+      )
πŸ“ Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if: |
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
runs-on: ubuntu-latest
if: |
(
github.event_name == 'issue_comment' &&
(github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'COLLABORATOR') &&
github.event.comment.body != '' &&
contains(github.event.comment.body, '@claude')
) ||
(
github.event_name == 'pull_request_review_comment' &&
(github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'COLLABORATOR') &&
github.event.comment.body != '' &&
contains(github.event.comment.body, '@claude')
) ||
(
github.event_name == 'pull_request_review' &&
(github.event.review.author_association == 'MEMBER' || github.event.review.author_association == 'OWNER' || github.event.review.author_association == 'COLLABORATOR') &&
github.event.review.body != '' &&
contains(github.event.review.body, '@claude')
) ||
(
github.event_name == 'issues' &&
(github.event.issue.author_association == 'MEMBER' || github.event.issue.author_association == 'OWNER' || github.event.issue.author_association == 'COLLABORATOR') &&
(contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))
)
runs-on: ubuntu-latest
πŸ€– Prompt for AI Agents 
.github/workflows/claude.yml lines 15-20: the workflow condition currently
triggers on any '@claude' mention and doesn't check the author's repository
association or protect against null comment/review/issue bodies; update the
composite if to require the appropriate author_association for each event (e.g.,
comment.author_association for issue_comment and pull_request_review_comment,
review.author_association or review.user.author_association for
pull_request_review, and issue.user_association for issues) to be a trusted
value like 'OWNER'|'MEMBER'|'COLLABORATOR' (or equivalent org-level roles you
require), and also guard each contains(...) check with a null-safe test (only
call contains when the body/title exists) so the workflow only runs when a
writer-level actor actually mentioned '@claude' and no null bodies cause errors.

Comment thread .github/workflows/claude.yml
Comment on lines +21 to +27
permissions:
contents: read
pull-requests: read
issues: read
id-token: write
actions: read # Required for Claude to read CI results on PRs
steps:
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Aug 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

πŸ› οΈ Refactor suggestion

Grant minimal write permissions for comments; remove id-token.

To post replies or status back, the job needs pull-requests: write and issues: write. id-token: write is not required here.

Apply this diff:

     permissions:
-      contents: read
-      pull-requests: read
-      issues: read
-      id-token: write
-      actions: read # Required for Claude to read CI results on PRs
+      contents: read
+      pull-requests: write
+      issues: write
+      actions: read # Required for Claude to read CI results on PRs
+      # id-token not required; remove to reduce privilege
πŸ“ Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
contents: read
pull-requests: read
issues: read
id-token: write
actions: read # Required for Claude to read CI results on PRs
steps:
permissions:
contents: read
pull-requests: write
issues: write
actions: read # Required for Claude to read CI results on PRs
# id-token not required; remove to reduce privilege
steps:
πŸ€– Prompt for AI Agents 
In .github/workflows/claude.yml around lines 21 to 27, the workflow currently
grants id-token: write and only read access for pull-requests and issues; update
permissions to remove id-token: write and grant minimal write permissions by
changing pull-requests: read to pull-requests: write and issues: read to issues:
write so the job can post replies/status without unnecessary id-token scope.

Comment thread .github/workflows/claude.yml
# This is an optional setting that allows Claude to read CI results on PRs
additional_permissions: |
actions: read

Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Aug 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

πŸ’‘ Verification agent

🧩 Analysis chain

Fix YAML lint nits: trailing spaces and the extra blank line.

Remove trailing spaces on the noted lines and the extra blank line at the end.

You can verify locally with:

Also applies to: 45-45, 48-48, 51-51, 54-54, 60-60, 64-65

🏁 Script executed:

#!/bin/bash
yamllint .github/workflows/claude.yml || true

Length of output: 1267

Address all yamllint violations in .github/workflows/claude.yml

When running yamllint .github/workflows/claude.yml, the following issues were reported:

β€’ Line 1: warning – missing document start (---)
β€’ Line 3: warning – truthy value should be one of [false, true]
β€’ Lines 16, 17, 18, 19, 39, 43, 53, 55: error – line too long (> 80 characters)
β€’ Line 26: warning – too few spaces before comment (expected 2)
β€’ Lines 42, 45, 48, 51, 54, 60: error – trailing spaces
β€’ Line 64: error – too many blank lines at end of file

Please:

  • Add --- at the top of the file.
  • Replace any truthy values (e.g. yes, on) with true or false.
  • Wrap or shorten long lines to ≀ 80 characters.
  • Ensure comments have at least two spaces before #.
  • Remove all trailing spaces on the noted lines.
  • Delete the extra blank line at the end of the file.

You can re-verify locally with:

yamllint .github/workflows/claude.yml || true
🧰 Tools
πŸͺ› YAMLlint (1.37.1)

[error] 42-42: trailing spaces

(trailing-spaces)

πŸ€– Prompt for AI Agents 
In .github/workflows/claude.yml around lines 1-64: add a YAML document start
`---` at the top (line 1), replace any non-boolean truthy values like `yes`/`on`
with `true` or `false` (line 3), wrap or shorten lines exceeding 80 characters
(lines 16–19, 39, 43, 53, 55) so each is <=80 chars, ensure comments have at
least two spaces before `#` (line 26), remove trailing whitespace on lines 42,
45, 48, 51, 54, 60, and delete the extra blank lines at EOF (line 64);
afterwards run `yamllint .github/workflows/claude.yml` to confirm all violations
are resolved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dataofmen