Add Claude Code GitHub Workflow

[leogdion]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

---

Perform an AI-assisted review on

Summary by CodeRabbit

• Chores
  • Added an automated AI code-review workflow ("Claude Code Review") that runs on pull request creation and updates and posts reviews as PR comments.
  • Added an AI automation that responds to issue comments, PR review mentions, and certain issue events to generate contextual guidance and reviews.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

Two new GitHub Actions workflows were added: ​.github/workflows/claude-code-review.yml (PR-triggered automated code review) and ​.github/workflows/claude.yml (issue/comment/mention-triggered Claude automations).

Changes

Cohort / File(s)	Summary
PR code-review workflow ​.github/workflows/claude-code-review.yml	New workflow triggered on pull_request opened/synchronize. Checks out repo, runs anthropics/claude-code-action with CLAUDE_CODE_OAUTH_TOKEN secret and claude_args. Contains permissions block and commented optional PR/path filters and prompt customizations.
Mention-driven Claude workflow ​.github/workflows/claude.yml	New workflow triggered on issue comments, PR review comments mentioning @claude, and issue create/assign events. Defines claude job, permissions, checkout step, and runs anthropics/claude-code-action@v1 with CLAUDE_CODE_OAUTH_TOKEN. Includes commented prompt/claude_args examples and optional additional permissions.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant GHEvents as GitHub Events
  participant Runner as Actions Runner
  participant Repo as Repository (checkout)
  participant CLAUDE_Action as anthropics/claude-code-action
  participant ClaudeAPI as Claude Service
  participant GHAPI as GitHub REST API

  Note over GHEvents,Runner: Trigger (PR open/synchronize OR comment/mention)
  GHEvents->>Runner: start workflow
  Runner->>Repo: checkout code
  Runner->>CLAUDE_Action: invoke action (token, claude_args, prompt)
  CLAUDE_Action->>ClaudeAPI: send structured prompt + repo context
  ClaudeAPI-->>CLAUDE_Action: generated review/comment
  CLAUDE_Action->>GHAPI: post PR/issue comment
  GHAPI-->>GHEvents: comment posted

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I hopped through YAML, keys in a row,

Whispered to Claude where the PRs go,
Secrets snug, triggers set to hum,
Comments return — a tidy drum,
I twitch my nose and say — well done!

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately captures the main change: adding GitHub Actions workflows for Claude Code integration. It is concise, clear, and directly reflects the primary purpose of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e430a9d and d61e63a.

📒 Files selected for processing (2)

• .github/workflows/claude-code-review.yml
• .github/workflows/claude.yml

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0.00%. Comparing base (53e0dee) to head (d61e63a).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@          Coverage Diff          @@
##            main     #35   +/-   ##
=====================================
  Coverage   0.00%   0.00%           
=====================================
  Files         24      24           
  Lines        351     351           
=====================================
  Misses       351     351           

Flag	Coverage Δ
6.2	0.00% <ø> (ø)
ios18.1	0.00% <ø> (ø)
ios18.6	0.00% <ø> (ø)
ios26.2	0.00% <ø> (ø)
macos	0.00% <ø> (ø)
nightly-6.3	0.00% <ø> (ø)
spm	0.00% <ø> (ø)
tvos26.2	0.00% <ø> (ø)
ubuntu	0.00% <ø> (ø)
visionos26.2	0.00% <ø> (ø)
watchos11.2	0.00% <ø> (ø)
watchos11.5	0.00% <ø> (ø)
watchos26.2	0.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI Agents

In @.github/workflows/claude-code-review.yml:
- Around line 22-26: The workflow grants only read access for the pull-requests
permission, which prevents Claude from posting review comments with `gh pr
comment`; update the permissions block so the `pull-requests` permission is set
to `write` (leave other permissions unchanged) so the `gh pr comment` tool can
create comments during the run.

In @.github/workflows/claude.yml:
- Around line 21-26: Update the GitHub Actions workflow permissions block so the
keys contents, pull-requests, and issues are set to write (instead of read) to
allow the anthropics/claude-code-action to post comments and make changes;
locate the permissions block that currently lists contents: read, pull-requests:
read, issues: read, id-token: write, actions: read and change the three read
values to write while leaving id-token and actions unchanged.
- Around line 15-19: The workflow 'if' conditional allows any mention of
'@claude' to trigger runs; restrict it by also checking the event actor's
author_association so only owners, members or collaborators can trigger it.
Update each branch in the multi-line if to AND an author_association check: for
issue_comment and pull_request_review_comment use
github.event.comment.author_association, for pull_request_review use
github.event.review.user.author_association, and for issues use
github.event.issue.author_association, comparing against allowed values
("OWNER", "MEMBER", "COLLABORATOR") so the condition requires both the mention
and an allowed author_association.

🧹 Nitpick comments (5)

.github/workflows/claude.yml (2)

35-37: Consider pinning the action to a specific commit SHA.

Using @v1 allows automatic updates to the latest v1.x version, which could introduce breaking changes or security issues without review.

🔎 Suggested improvement

Pin to a specific commit and use Dependabot to manage updates:

      - name: Run Claude Code
        id: claude
-        uses: anthropics/claude-code-action@v1
+        uses: anthropics/claude-code-action@abc123  # v1.x.x
        with:
          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

Then create .github/dependabot.yml to keep actions updated:

version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"

---

40-41: Remove redundant additional_permissions block.

The additional_permissions block grants actions: read, but this permission is already explicitly granted in the permissions section at line 26.

🔎 Proposed cleanup

          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

-          # This is an optional setting that allows Claude to read CI results on PRs
-          additional_permissions: |
-            actions: read
-
          # Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.

.github/workflows/claude-code-review.yml (3)

4-5: Running automated reviews on all PRs may be costly and unnecessary.

The workflow triggers on every PR open and synchronize event without any filtering. This could result in high API costs and may be unnecessary for trivial changes or PRs from trusted team members.

Consider activating the commented-out filtering options:

🔎 Suggested improvements

Option 1: Enable path filtering to only review specific file types:

  pull_request:
    types: [opened, synchronize]
-    # Optional: Only run on specific file changes
-    # paths:
-    #   - "src/**/*.ts"
-    #   - "src/**/*.tsx"
-    #   - "src/**/*.js"
-    #   - "src/**/*.jsx"
+    paths:
+      - "src/**/*.swift"
+      - "src/**/*.ts"
+      - "Tests/**/*.swift"

Option 2: Enable author filtering for external contributors:

  claude-review:
-    # Optional: Filter by PR author
-    # if: |
-    #   github.event.pull_request.user.login == 'external-contributor' ||
-    #   github.event.pull_request.user.login == 'new-developer' ||
-    #   github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
+    if: |
+      github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR' ||
+      github.event.pull_request.author_association == 'FIRST_TIMER' ||
+      github.event.pull_request.author_association == 'CONTRIBUTOR'

Option 3: Add concurrency controls to prevent multiple simultaneous reviews:

  claude-review:
    concurrency:
      group: claude-review-${{ github.event.pull_request.number }}
      cancel-in-progress: true

---

31-32: Shallow clone may limit review context.

fetch-depth: 1 performs a shallow clone with only the latest commit. For comprehensive code reviews, Claude may benefit from accessing git history, blame information, or comparing against the base branch.

🔎 Consider fetching more history

      - name: Checkout repository
        uses: actions/checkout@v4
        with:
-          fetch-depth: 1
+          fetch-depth: 0  # Full history for comprehensive reviews
+          # Or use a reasonable depth like:
+          # fetch-depth: 50

Note: This increases checkout time and uses more disk space, so balance against your needs.

---

36-38: Consider aligning action versions with repository-wide pinning strategy.

The use of @v1 follows the repository's established pattern across all workflows (see actions/checkout@v4, github/codeql-action@v3, etc.), but GitHub security best practices recommend pinning actions to full commit SHAs instead of semantic versions to prevent supply-chain updates. If this repository adopts SHA pinning, it should be applied consistently across all workflows. The CLAUDE_CODE_OAUTH_TOKEN secret reference cannot be verified from the codebase and requires confirmation in repository settings.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c18df55 and d5977c8.

📒 Files selected for processing (2)

• .github/workflows/claude-code-review.yml
• .github/workflows/claude.yml

🔇 Additional comments (2)

.github/workflows/claude.yml (1)

37-37: Verify the secret CLAUDE_CODE_OAUTH_TOKEN is configured in repository settings.

This secret is referenced in both .github/workflows/claude.yml (line 37) and .github/workflows/claude-code-review.yml. The workflow will fail at runtime if the secret is not configured in the repository's GitHub Settings > Secrets and variables > Actions section.

.github/workflows/claude-code-review.yml (1)

56-56: Configuration correctly restricts Claude to explicitly allowed commands.

The claude-code-action uses a strict allowlist model where Claude can only execute Bash commands matching the specified patterns. The tool cannot escape these restrictions to run arbitrary commands—enforcement combines tool-level controls, input sanitization, command blocklists, and OS-level sandboxing. The current configuration appropriately whitelists read-only GitHub CLI operations (gh issue, gh search, gh pr view, gh pr diff) plus gh pr comment (necessary for code review feedback). This follows security best practices.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI Agents

In @.github/workflows/claude.yml:
- Around line 15-19: The workflow's if condition currently triggers on any
mention of '@claude' and must be restricted to authorized users; update the
condition to require that the actor's author_association is one of 'OWNER',
'MEMBER', or 'COLLABORATOR' for each event branch: check
github.event.comment.author_association for 'issue_comment' and
'pull_request_review_comment', github.event.review.author_association for
'pull_request_review', and github.event.issue.author_association for 'issues',
combining those association checks with the existing contains(...) checks so the
job only runs when both the mention and an allowed author_association are
present.
- Around line 21-26: The workflow's GitHub Actions permissions are too
restrictive for the anthropics/claude-code-action: update the permissions block
so that contents, pull-requests, and issues are set to write (retain id-token:
write and actions: read) — change the entries named "contents", "pull-requests",
and "issues" from read to write in the permissions stanza so the action can post
comments and make changes.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d5977c8 and e430a9d.

📒 Files selected for processing (2)

• .github/workflows/claude-code-review.yml
• .github/workflows/claude.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/claude-code-review.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: Build on macOS (watchos, macos-15, /Applications/Xcode_16.1.app, Apple Watch Ultra 2 (49mm), 11.2...
• GitHub Check: Build on macOS (macos, macos-26, /Applications/Xcode_26.2.app)
• GitHub Check: Build on macOS (watchos, macos-26, /Applications/Xcode_26.2.app, Apple Watch Ultra 3 (49mm), 26.2)
• GitHub Check: Build on Android (6.2, 33)
• GitHub Check: Build on Android (6.1, 28)
• GitHub Check: Build on Windows (windows-2025, swift-6.2-release, 6.2-RELEASE)
• GitHub Check: Build on Windows (windows-2022, swift-6.2-release, 6.2-RELEASE)
• GitHub Check: Build on Android (nightly-main, 34)