Add Claude Code GitHub Workflow

[devondragon]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

[Copilot]

Pull Request Overview

This PR adds GitHub Actions workflows to enable Claude Code integration, allowing team members to interact with Claude AI in pull requests and issues. The integration provides two workflows: one for on-demand Claude interactions via @claude mentions, and another for automatic code reviews on all pull requests.

Key Changes:

• Added workflow for triggering Claude via @claude mentions in comments
• Added workflow for automatic Claude code reviews on PRs
• Both workflows use the anthropics/claude-code-action@v1 with repository secrets for authentication

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
.github/workflows/claude.yml	Implements on-demand Claude interactions triggered by @claude mentions in PR/issue comments
.github/workflows/claude-code-review.yml	Implements automatic Claude code reviews on opened and synchronized PRs

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The workflow requires write permissions to create comments, branches, and commits as mentioned in the PR description, but only read permissions are granted. Add 'contents: write', 'pull-requests: write', and 'issues: write' to enable Claude to perform the described functionality.

Suggested change

	contents: read
	pull-requests: read
	issues: read
	contents: write
	pull-requests: write
	issues: write

[Copilot]

The workflow needs write permissions for Claude to post review comments on PRs (as indicated by the 'gh pr comment' command in line 52), but only read permissions are granted. Add 'pull-requests: write' to allow comment creation.

Suggested change

	pull-requests: read
	pull-requests: write

[Copilot]

[nitpick] Using 'fetch-depth: 1' creates a shallow clone which may limit Claude's ability to analyze code history or context. Consider using 'fetch-depth: 0' or removing this parameter to allow full repository access when needed.

Suggested change

	fetch-depth: 1
	fetch-depth: 0

[Copilot]

[nitpick] Using 'fetch-depth: 1' creates a shallow clone which may limit Claude's ability to analyze code history or compare changes across commits. Consider using 'fetch-depth: 0' or removing this parameter for more comprehensive code review capabilities.

Suggested change

	fetch-depth: 1
	fetch-depth: 0

[claude]

Code Review: Add Claude Code GitHub Workflow

Thanks for implementing this integration! I've reviewed the PR and here's my feedback:

✅ Strengths

1. Security Implementation

• Properly uses GitHub secrets for the OAuth token
• Correct permission scoping with minimal required permissions (read-only for most)
• Good use of id-token: write for secure authentication
• Smart restriction of allowed tools using --allowed-tools parameter

2. Architecture & Design

• Well-separated workflows: claude.yml for interactive mentions and claude-code-review.yml for automated PR reviews
• Appropriate trigger conditions using contains() to detect @claude mentions
• Good use of conditional logic to prevent unnecessary runs

3. Documentation

• Excellent PR description explaining the feature, usage, and security considerations
• Well-commented YAML files with helpful examples
• References to official documentation

📝 Suggestions for Improvement

1. Consider Adding Write Permissions for Code Review Workflow

The claude-code-review.yml workflow might benefit from additional permissions to enable more interactive reviews. Change line 24 from pull-requests: read to pull-requests: write. This would allow Claude to post review comments directly on code lines and suggest changes.

2. Project-Specific Tool Allowances

For a Spring Boot project, consider adding project-specific testing and build tools like ./gradlew test, ./gradlew bootJar, etc. This aligns with the CLAUDE.md guidance.

3. Add Path Filtering for Code Review

Consider filtering to only run on Java/config file changes (src/**/*.java, build.gradle, etc.) to reduce unnecessary runs.

⚠️ Potential Issues

1. Missing PR Write Permission

The prompt in claude-code-review.yml line 52 instructs Claude to use gh pr comment, but the workflow only has pull-requests: read permission. This will fail when attempting to post comments.

Fix Required: Change line 24 from pull-requests: read to pull-requests: write

2. Workflow Won't Activate Until Merged

The PR description correctly notes this. Consider manual testing after merge with a test issue/PR.

🔒 Security Analysis

No concerns identified:

• OAuth token properly secured
• Minimal permission model
• Tool access appropriately restricted
• No exposure of sensitive data
• fetch-depth: 1 limits repository access

Overall Assessment

This is a solid implementation of Claude Code integration. The main blocker is the permission issue preventing comment posting. Once pull-requests: write is added to the code review workflow, this should work well.

Recommended next steps:

1. Create a follow-up PR to fix the pull-requests: write permission
2. Consider adding project-specific tool allowances
3. Test the workflows after merge
4. Document any team guidelines for when to use @claude

Great work on the integration!