Add Claude Code GitHub Workflow

[crichalchemist]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

[coderabbitai]

Caution

Review failed

The pull request is closed.

Summary by CodeRabbit

Release Notes

• New Features
  • Automated code review on pull requests with AI-powered feedback on code quality, potential bugs, performance, and security
  • AI-driven code analysis available through comments on pull requests and issues

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Walkthrough

Two new GitHub Actions workflows are introduced to integrate Claude AI capabilities. The first triggers on pull requests for automated code reviews, while the second triggers on issue and PR events when explicitly invoked via "@claude" mentions. Both workflows configure necessary permissions and GitHub CLI tools to enable Claude to interact with the repository and provide feedback.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflows \.github/workflows/claude-code-review\.yml, \.github/workflows/claude\.yml	Adds two new CI/CD workflows: claude-code-review.yml for automated PR reviews triggered on PR events, and claude.yml for on-demand Claude code processing triggered on issues and PRs with "@claude" mentions. Both configure OAuth token authentication, repository permissions (contents, pull-requests, issues, id-token, actions), and GitHub CLI tools for Claude interaction.

Sequence Diagram(s)

sequenceDiagram
    actor GitHub as GitHub Platform
    participant Actions as GitHub Actions Runner
    participant Checkout as Repository Checkout
    participant Claude as Claude Code Review Action
    participant API as Claude API
    participant Output as PR Comment

    Note over GitHub,Output: Claude Code Review Workflow (PR Events)
    GitHub->>Actions: Pull request event (opened/synchronize)
    Actions->>Checkout: Checkout repository
    Checkout-->>Actions: Repository ready
    Actions->>Claude: Invoke Claude Code Review<br/>(with OAuth token & prompt)
    Claude->>API: Request code review<br/>(quality, bugs, performance, security)
    API-->>Claude: Review feedback
    Claude->>Output: Post review comment<br/>(via gh pr comment)
    Output-->>GitHub: Comment visible on PR

    Note over GitHub,Output: Claude Code Workflow (On-Demand)
    GitHub->>Actions: Issue/PR event with `@claude` mention
    activate Actions
    rect rgb(200, 220, 240)
        Actions->>Actions: Check comment/title for `@claude`
    end
    Actions->>Checkout: Checkout repository
    Checkout-->>Actions: Repository ready
    Actions->>Claude: Invoke Claude Code Action<br/>(with OAuth token)
    Claude->>API: Process code
    API-->>Claude: Processing result
    Claude->>Output: Return feedback
    deactivate Actions

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

---

📜 Recent review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 55aa47e and d293398.

📒 Files selected for processing (2)

• .github/workflows/claude-code-review.yml
• .github/workflows/claude.yml

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d293398d39

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Allow review bot to comment on PRs

The claude-code-review job limits the GITHUB_TOKEN to read-only (contents, pull-requests, issues all set to read), but the workflow then asks the action to leave a PR review via gh pr comment. GitHub requires pull-requests: write (and usually issues: write) to create PR comments, so the action will fail when attempting to publish feedback and the workflow produces no review output. Grant write permission so the bot can post its results.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Bot cannot reply to @claude mentions

In the general claude workflow the job’s permissions are restricted to read-only scopes, but the anthropics action needs to write issue/PR comments to respond to @claude mentions. Without issues: write and pull-requests: write, any attempt to post a reply will be denied with a 403, leaving the workflow unable to deliver the requested assistance. Broaden the permissions so responses can be posted.

Useful? React with 👍 / 👎.

[Copilot]

Pull request overview

This PR adds GitHub Actions workflows to integrate Claude Code, an AI coding agent, into the repository. The integration enables automated code reviews on pull requests and allows team members to invoke Claude by mentioning @claude in PR or issue comments.

• Adds workflow triggered by @claude mentions in comments for on-demand assistance
• Adds automatic code review workflow that runs when PRs are opened or updated
• Configures permissions and authentication using GitHub Actions secrets

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.

File	Description
.github/workflows/claude.yml	Main workflow that triggers when @claude is mentioned in PR/issue comments or when issues are opened/assigned
.github/workflows/claude-code-review.yml	Automated code review workflow that runs on PR open and synchronize events

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The workflow uses 'claude_code_oauth_token' but the PR description mentions "Anthropic API key" being stored as a secret. The parameter name should match the actual secret being used. If the secret is named 'CLAUDE_CODE_OAUTH_TOKEN', verify this is the correct authentication method. If using an Anthropic API key instead, the parameter should likely be 'anthropic_api_key' and the secret name should match.

Suggested change

	claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
	anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}

[Copilot]

The 'additional_permissions' configuration for 'actions: read' is redundant since it's already specified in the permissions block at lines 21-26. This duplication may cause confusion about which permissions are actually granted.

Suggested change

	# This is an optional setting that allows Claude to read CI results on PRs
	additional_permissions: |
	actions: read

[Copilot]

The allowed tools configuration uses wildcard patterns like 'gh pr:' in the example comment on line 49, but the actual implementation on line 56 uses more specific patterns like 'gh pr comment:'. This inconsistency in examples may cause confusion. Consider aligning the example with the specific pattern approach used in the code review workflow, or clarifying why different approaches are used.

Suggested change

	# claude_args: '--allowed-tools Bash(gh pr:*)'
	# claude_args: '--allowed-tools Bash(gh pr comment:*)'

[Copilot]

The permissions configuration is missing write access to pull-requests and issues, which is likely needed for Claude to post comments and create commits/branches as described in the PR description. Without write permissions, Claude won't be able to interact with the repository as intended.

Suggested change

	contents: read
	pull-requests: read
	issues: read
	contents: write
	pull-requests: write
	issues: write

[Copilot]

The permissions configuration is missing write access to pull-requests and issues. According to the workflow's purpose (code review with feedback), Claude needs write permissions to post review comments on the PR. Additionally, the contents: write permission may be needed if Claude is expected to create branches or commits.

Suggested change

	pull-requests: read
	issues: read
	pull-requests: write
	issues: write

[Copilot]

The workflow uses 'claude_code_oauth_token' but the PR description mentions "Anthropic API key" being stored as a secret. The parameter name should match the actual secret being used. If the secret is named 'CLAUDE_CODE_OAUTH_TOKEN', verify this is the correct authentication method. If using an Anthropic API key instead, the parameter should likely be 'anthropic_api_key' and the secret name should match.

Suggested change

	claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
	anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}

[claude]

Code Review - Claude Code GitHub Workflow Integration

Thank you for setting up the Claude Code integration! This is a well-structured addition to enable AI-assisted development. Here's my detailed review:

---

✅ Strengths

1. Security-Conscious Design

   • Properly uses GitHub secrets for CLAUDE_CODE_OAUTH_TOKEN
   • Scoped permissions follow least-privilege principle
   • Limited tool access via allowed_tools parameter
   • Shallow checkout (fetch-depth: 1) minimizes data exposure

2. Clear Separation of Concerns

   • claude.yml: Interactive @claude mentions for general assistance
   • claude-code-review.yml: Automated PR reviews on [opened, synchronize]
   • This dual-workflow approach provides flexibility

3. Good Documentation

   • Comprehensive PR description explains purpose, usage, and security
   • Inline comments provide customization guidance
   • Links to official documentation

---

🔒 Security Concerns

CRITICAL: Workflow Runs on All PRs (including from forks)

File: .github/workflows/claude-code-review.yml:3-4

on:
  pull_request:
    types: [opened, synchronize]

Issue: This workflow triggers on all PRs, including those from untrusted external contributors. While GitHub Actions secrets aren't exposed to fork PRs by default, this creates several risks:

1. Resource Exhaustion: Malicious actors could open spam PRs to consume your Claude API quota
2. Token Leakage Risk: If workflow permissions are misconfigured in the future, secrets could be exposed
3. Unintended Automation: External PRs trigger automated reviews without maintainer oversight

Recommended Fix:

Add a filter to only run on PRs from trusted collaborators:

jobs:
  claude-review:
    # Only run for organization members or specific collaborators
    if: |
      github.event.pull_request.head.repo.full_name == github.repository ||
      github.event.pull_request.author_association == 'MEMBER' ||
      github.event.pull_request.author_association == 'COLLABORATOR' ||
      github.event.pull_request.author_association == 'OWNER'
    
    runs-on: ubuntu-latest
    # ... rest of workflow

Alternatively, require manual approval for external PRs:

on:
  pull_request_target:  # Runs in the context of the base repo
    types: [labeled]

jobs:
  claude-review:
    if: contains(github.event.pull_request.labels.*.name, 'safe-to-review')
    # ... rest of workflow

Missing Rate Limiting

Consideration: The workflow has no rate limiting or concurrency controls. Multiple PRs or rapid updates could exhaust API quota.

Recommended Addition:

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
  cancel-in-progress: true  # Cancel outdated reviews when PR is updated

---

⚠️ Potential Issues

1. Overly Permissive Triggers in claude.yml

File: .github/workflows/claude.yml:6-10

on:
  issues:
    types: [opened, assigned]

Issue: This triggers on all new issues, even if they don't mention @claude. The conditional check happens in the job, but the workflow still initializes (consuming runner minutes).

Recommended Fix:

Remove issues.opened and issues.assigned from triggers, relying solely on issue_comment for @claude mentions:

on:
  issue_comment:
    types: [created]
  pull_request_review_comment:
    types: [created]
  pull_request_review:
    types: [submitted]
  # Remove 'issues' trigger entirely

2. Missing Error Handling

File: Both workflows

Issue: No fallback behavior if Claude Code action fails (e.g., API quota exceeded, service outage).

Recommended Addition:

- name: Run Claude Code Review
  id: claude-review
  continue-on-error: true  # Don't block PR merges if Claude fails
  uses: anthropics/claude-code-action@v1
  # ... existing config

- name: Handle Claude Failure
  if: failure() && steps.claude-review.outcome == 'failure'
  run: |
    echo "::warning::Claude Code review failed. Please review manually."

3. Hardcoded Action Version

File: Both workflows

uses: anthropics/claude-code-action@v1

Issue: Using @v1 (mutable tag) means the action could change unexpectedly. For production stability, pin to a specific commit SHA.

Recommended:

uses: anthropics/claude-code-action@abc123def  # Pin to specific commit SHA
# Or use semantic versioning:
uses: anthropics/claude-code-action@v1.2.3

Check the releases page for the latest stable version.

---

🚀 Performance Considerations

1. Shallow Checkout is Good

fetch-depth: 1

This minimizes data transfer and speeds up workflow runs. Good choice.

2. Consider Differential Reviews

For large PRs, Claude reviews every file. Consider adding file filters:

on:
  pull_request:
    types: [opened, synchronize]
    paths:
      - 'backend/**/*.py'
      - 'frontend/**/*.{ts,tsx,js,jsx}'
      - '!**/*.test.*'  # Exclude test files from auto-review

---

📋 Missing: Context for DigniFi's Mission

File: .github/workflows/claude-code-review.yml:39-51

Observation: The review prompt is generic. Given DigniFi's trauma-informed, UPL-compliant mission, Claude should be primed with project-specific guidelines.

Recommended Enhancement:

prompt: |
  REPO: ${{ github.repository }}
  PR NUMBER: ${{ github.event.pull_request.number }}

  Please review this pull request with special attention to:
  
  **DigniFi-Specific Requirements:**
  - **UPL Compliance**: Ensure no language crosses from legal information to legal advice
  - **Trauma-Informed Design**: Verify user-facing text preserves dignity (no shame/blame language)
  - **Data Security**: Check for proper encryption of PII (SSN, income, debt amounts)
  - **Plain Language**: Target 6th-8th grade reading level for user-facing strings
  - **Accessibility**: WCAG 2.1 AA compliance (ARIA labels, keyboard nav, semantic HTML)

  **Standard Review Areas:**
  - Code quality and best practices
  - Potential bugs or issues
  - Performance considerations
  - Security concerns
  - Test coverage

  Use the repository's CLAUDE.md for complete style and compliance guidelines.
  
  Use \`gh pr comment\` to leave your review as a comment on the PR.

This ensures Claude reviews align with your project's ethical and legal constraints.

---

🧪 Test Coverage

Status: N/A (workflow configuration, not application code)

Recommendation: After merging, test the workflow by:

1. Creating a test PR from a branch
2. Verifying Claude posts a review comment
3. Commenting @claude help on an issue to test interactive mode
4. Testing the if conditionals with a fork PR (if applicable)

---

📝 Documentation Quality

PR Description: Excellent! Clear, comprehensive, and includes security notes.

Suggested Addition: Add a troubleshooting section to the PR description:

### Troubleshooting

**Claude doesn't respond to @mentions:**
- Verify `CLAUDE_CODE_OAUTH_TOKEN` secret is set in repository settings
- Check Actions tab for failed workflow runs
- Ensure you have write access to the repository

**Workflow fails with 403 errors:**
- Confirm the OAuth token has correct permissions
- Check if repository has Actions enabled in Settings > Actions

---

Summary

Overall Assessment: This is a solid implementation with good security foundations. The main concern is the unrestricted PR trigger in claude-code-review.yml, which could be exploited by external contributors.

Priority Actions:

1. 🔴 HIGH: Add PR author filtering to claude-code-review.yml (security risk)
2. 🟡 MEDIUM: Add concurrency controls (cost optimization)
3. 🟡 MEDIUM: Enhance prompt with DigniFi-specific guidelines (mission-critical)
4. 🟢 LOW: Remove unnecessary issues trigger from claude.yml (optimization)
5. 🟢 LOW: Pin action versions to specific commits (stability)

Recommendation: ✅ Approve with suggested improvements

The workflow is functional and secure for internal use. Implementing the HIGH/MEDIUM priority fixes will harden it for long-term production use, especially as the project scales and attracts external contributors.

---

Great work setting this up! The dual-workflow approach (auto-review + @mention) is thoughtful and will significantly accelerate development. Let me know if you'd like help implementing any of these recommendations.

Review conducted by Claude Code (Sonnet 4.5) analyzing PR #1