Skip to content

Add Claude Code GitHub Workflow #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wangdiues wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add Claude Code GitHub Workflow #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e6f77bb
"Claude PR Assistant workflow"
wangdiues May 8, 2026
c503b18
"Claude Code Review workflow"
wangdiues May 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions .github/workflows/claude-code-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
name: Claude Code Review

on:
pull_request:
types: [opened, synchronize, ready_for_review, reopened]
# Optional: Only run on specific file changes
# paths:
# - "src/**/*.ts"
# - "src/**/*.tsx"
# - "src/**/*.js"
# - "src/**/*.jsx"

jobs:
claude-review:
# Optional: Filter by PR author
# if: |
# github.event.pull_request.user.login == 'external-contributor' ||
# github.event.pull_request.user.login == 'new-developer' ||
# github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'

runs-on: ubuntu-latest
Comment on lines +14 to +21
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/claude-code-review.yml

Repository: wangdiues/layguel360-v0

Length of output: 1808

Skip this job for forked PRs to avoid secret-missing failures.

This workflow uses secrets.CLAUDE_CODE_OAUTH_TOKEN on pull_request; fork-origin PR runs will not have that secret and will fail noisily.

🛡️ Suggested guard 
 jobs:
   claude-review:
+    if: ${{ !github.event.pull_request.head.repo.fork }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
claude-review:
# Optional: Filter by PR author
# if: |
# github.event.pull_request.user.login == 'external-contributor' ||
# github.event.pull_request.user.login == 'new-developer' ||
# github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
runs-on: ubuntu-latest
claude-review:
if: ${{ !github.event.pull_request.head.repo.fork }}
# Optional: Filter by PR author
# if: |
# github.event.pull_request.user.login == 'external-contributor' ||
# github.event.pull_request.user.login == 'new-developer' ||
# github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
runs-on: ubuntu-latest
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/claude-code-review.yml around lines 14 - 21, The
claude-review job can fail on forked PRs because secrets.CLAUDE_CODE_OAUTH_TOKEN
aren’t available; update the claude-review job to skip runs for forked PRs by
adding a job-level conditional that ensures the PR’s head repo matches the base
repository (or that the PR is not from a fork) before using secrets. Modify the
claude-review job (refer to the claude-review job name and the use of
secrets.CLAUDE_CODE_OAUTH_TOKEN) to include an if condition that only runs when
github.event.pull_request.head.repo.full_name == github.repository (or an
equivalent check for non-fork PRs) so the job is skipped for forked pull
requests.

permissions:
contents: read
pull-requests: read
issues: read
id-token: write

steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1

- name: Run Claude Code Review
id: claude-review
uses: anthropics/claude-code-action@v1
with:
Comment on lines +29 to +37
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

# Check if the workflow files exist
fd -t f "claude.*\.yml" .github/workflows/

Repository: wangdiues/layguel360-v0

Length of output: 137

🏁 Script executed:

# Read the claude-code-review.yml file around lines 29-37
if [ -f .github/workflows/claude-code-review.yml ]; then
  echo "=== claude-code-review.yml (lines 20-45) ==="
  sed -n '20,45p' .github/workflows/claude-code-review.yml
fi

Repository: wangdiues/layguel360-v0

Length of output: 983

🏁 Script executed:

# Check all workflow files for these actions
if [ -f .github/workflows/claude.yml ]; then
  echo "=== claude.yml (all) ==="
  cat -n .github/workflows/claude.yml
fi

Repository: wangdiues/layguel360-v0

Length of output: 2328

🌐 Web query:

GitHub Actions best practices pin to commit SHA security

💡 Result:

Best practice: pin third-party GitHub Actions to a full-length (40-character) commit SHA in your workflow (e.g., actions/checkout@) rather than to tags like @v4, and use GitHub policies to enforce SHA pinning so unpinned actions fail. Why pin to commit SHA - GitHub’s “secure use” guidance states that pinning an action to a full-length commit SHA is “currently the only way to use an action as an immutable release,” and that it helps mitigate backdoor risk because an attacker would need to generate a SHA-1 collision for a valid Git object payload. It also instructs you to verify the SHA comes from the action’s repository and not a fork.[1] - GitHub also notes that tag pinning is convenient but less secure because a tag can be moved or deleted if a bad actor gains access to the action’s repository.[1] How to do it in practice 1) Replace tag references with full SHA in the workflow YAML. - Example pattern: uses: actions/checkout@ [1] 2) Add a short comment next to the SHA showing which tag/version it corresponds to (this keeps reviews maintainable). (This is commonly recommended; GitHub’s docs emphasize full SHA pinning and verification.) [2][1] 3) Verify the SHA is from the action’s upstream repository, not a fork.[1] Enforce it org/repo-wide (recommended) - GitHub added an “allowed actions policy” feature to enforce SHA pinning: it recommends workflows pin dependency versions to a specific commit SHA to prevent malicious code in updated branches/tags from being used automatically, and administrators can enforce SHA pinning through an “allowed actions policy.” The policy checks for a full commit SHA and workflows that use an action that isn’t pinned will fail.[3] Net answer to your query - “Pin to commit SHA” is the correct security best practice; use full-length commit SHAs (not shortened SHAs, not tags) and enforce SHA pinning with GitHub’s allowed-actions policy.[1][3]

Citations:

🌐 Web query:

actions/checkout v4 pinning commit SHA recommendations

💡 Result:

Recommendation (secure + actionable): pin actions/checkout v4 to an immutable full-length commit SHA (not a mutable tag like v4). Example: - uses: actions/checkout@<FULL_COMMIT_SHA> # v4.x.y (pin to the commit that implements the v4.x.y tag you tested) Why: 1) Pinning to a full-length commit SHA is the only way to make a GitHub Action reference immutable, mitigating the risk that the tag could move to different code later [1]. 2) Using tags like @v4 is mutable because a tag is effectively a pointer to a specific SHA that can change [1]. How to find the exact SHA for the v4 release you want: - Go to the actions/checkout repo and open the tag you’re targeting (e.g., the v4.x.y release tag), then copy the commit SHA the tag points to; the changelog/release pages show the specific v4.x.y release you can pin [2][3]. Notes specific to actions/checkout v4: - By default it checks out only a single commit: the ref/SHA that triggered the workflow (set fetch-depth: 0 if you need full history) [4]. - The action outputs include the checked-out commit SHA (useful for auditing/pinning checks) [5]. What commit SHA should you pin to “right now”? - This requires choosing a specific v4.x.y release (e.g., v4.2.0 vs another v4 patch), then pinning to the SHA that tag resolves to; the sources retrieved here confirm the correct method but don’t provide the exact SHA value for a chosen v4.x.y in the query results. If you tell me which v4 patch you want (or whether “latest v4.x.y” is acceptable), I can look up the corresponding tag’s commit SHA and give you the exact one-line YAML.

Citations:

🌐 Web query:

anthropic claude-code-action v1 pinning SHA support

💡 Result:

Yes, Anthropic's claude-code-action v1 supports pinning to a commit SHA for secure usage in GitHub workflows. Users commonly pin it like uses: anthropics/claude-code-action@a3ff61d47aa5118a43b33ae44c4087d9eb51111a # v1 to meet organization requirements for immutable references and prevent supply chain attacks [1][2]. This is a standard GitHub Actions best practice, and the repository has implemented internal pinning of its nested actions (e.g., PR #1293 to pin to commit SHAs [3], issue #15 resolved by pinning dependencies [4]). Official docs show usage with @v1 but do not prohibit or restrict SHA pinning, and community examples confirm it works [5][6][7]. Specific SHAs like 01e756b34ef7a1447e9508f674143b07d20c2631 have been used as workarounds for bugs [2]. The repo has 174 releases under v1.x (latest v1.0.110 as of 2026-04-29 [5]), allowing precise pinning to tested commits.

Citations:

Pin GitHub Actions to immutable commit SHAs.

Both actions/checkout@v4 and anthropics/claude-code-action@v1 use mutable tags. GitHub's security guidance states that pinning to full-length commit SHAs is the only way to use actions as immutable releases and mitigates supply-chain drift risk. Apply the same fix to .github/workflows/claude.yml.

🔒 Suggested hardening diff 
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@<full-length-checkout-sha> # v4 release commit
         with:
           fetch-depth: 1

       - name: Run Claude Code Review
         id: claude-review
-        uses: anthropics/claude-code-action@v1
+        uses: anthropics/claude-code-action@<full-length-claude-action-sha> # v1 release commit
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/claude-code-review.yml around lines 29 - 37, Replace
mutable action tags with pinned full commit SHAs: find the uses lines "uses:
actions/checkout@v4" and "uses: anthropics/claude-code-action@v1" in the
workflow and substitute each tag with the corresponding full-length commit SHA
for the released commit you want to pin (do the same change in the other
workflow that uses these actions). Ensure you update both occurrences (checkout
and anthropics action) and verify the SHAs correspond to the exact release
commit you intend to lock to before committing.

claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
plugins: 'code-review@claude-code-plugins'
prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'
# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
# or https://code.claude.com/docs/en/cli-reference for available options

50 changes: 50 additions & 0 deletions .github/workflows/claude.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
name: Claude Code

on:
issue_comment:
types: [created]
pull_request_review_comment:
types: [created]
issues:
types: [opened, assigned]
pull_request_review:
types: [submitted]

jobs:
claude:
if: |
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
issues: read
id-token: write
actions: read # Required for Claude to read CI results on PRs
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1

- name: Run Claude Code
id: claude
uses: anthropics/claude-code-action@v1
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

# This is an optional setting that allows Claude to read CI results on PRs
additional_permissions: |
actions: read

# Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.
# prompt: 'Update the pull request description to include a summary of changes.'

# Optional: Add claude_args to customize behavior and configuration
# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
# or https://code.claude.com/docs/en/cli-reference for available options
# claude_args: '--allowed-tools Bash(gh pr *)'

Loading