Skip to content

Add Claude Code GitHub Workflow #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
milosgajdos wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add Claude Code GitHub Workflow #20

milosgajdos wants to merge 2 commits into from

Conversation

@milosgajdos
Copy link
Owner

@milosgajdos milosgajdos commented Jan 1, 2026
edited by ellipsis-dev bot
Loading

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

  • Bug fixes and improvements
  • Documentation updates
  • Implementing new features
  • Code reviews and suggestions
  • Writing tests
  • And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

  • This workflow won't take effect until this PR is merged
  • @claude mentions won't work until after the merge is complete
  • The workflow runs automatically whenever Claude is mentioned in PR or issue comments
  • Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

  • Our Anthropic API key is securely stored as a GitHub Actions secret
  • Only users with write access to the repository can trigger the workflow
  • All Claude runs are stored in the GitHub Actions run history
  • Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
  • We can add more allowed tools by adding them to the workflow file like:
allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

Important

Adds GitHub Actions workflows for Claude Code integration, enabling AI-driven code reviews and interactions via comments and PR events.

  • Workflows:
    • Adds claude-code-review.yml to trigger Claude Code review on PR open and sync events.
    • Adds claude.yml to trigger Claude on issue comments, PR review comments, and issue/PR events mentioning @claude.
  • Security and Permissions:
    • Uses CLAUDE_CODE_OAUTH_TOKEN stored as a GitHub secret.
    • Grants read permissions for contents, pull-requests, issues, and actions.
    • Allows Claude to read CI results on PRs.
  • Functionality:
    • Claude provides feedback on code quality, bugs, performance, security, and test coverage.
    • Supports custom prompts and tool permissions via claude_args.

This description was created by Ellipsis for 992d203. You can customize this summary. It will automatically update as commits are pushed.

ellipsis-dev[bot]
ellipsis-dev bot reviewed Jan 1, 2026
View reviewed changes
Copy link

@ellipsis-dev ellipsis-dev bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Important

Looks good to me! 👍

Reviewed everything up to 992d203 in 1 minute and 23 seconds. Click for details.
  • Reviewed 119 lines of code in 2 files
  • Skipped 0 files when reviewing.
  • Skipped posting 3 draft comments. View those below.
  • Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.
1. .github/workflows/claude-code-review.yml:36
  • Draft comment:
    Consider pinning the 'anthropics/claude-code-action' action to a specific commit hash instead of using the '@v1' tag. This can help mitigate potential supply chain risks.
  • Reason this comment was not posted:
    Decided after close inspection that this draft comment was likely wrong and/or not actionable: usefulness confidence = 20% vs. threshold = 50% This comment is about security best practices for GitHub Actions. While pinning to commit hashes is indeed a security best practice, this comment has several issues: 1) It's inconsistent - the same file uses @v4 for checkout action without comment, 2) It uses the word "Consider" which makes it sound optional/informational rather than requiring a clear code change, 3) It's a general best practice suggestion rather than pointing out a specific security issue with this PR, 4) The author clearly chose to use @v1 intentionally, and this is a very common practice in GitHub Actions workflows. This feels more like a "nice to have" suggestion rather than something that clearly requires a code change. The comment does point to a legitimate security consideration, and pinning to commit hashes is recommended by GitHub's security documentation. Perhaps this is actionable enough to keep, especially for a security-sensitive workflow that has access to tokens and can comment on PRs. While it's true that pinning to commit hashes is a security best practice, the comment uses "Consider" which makes it sound optional rather than required. The rules state "Do NOT comment unless there is clearly a code change required" - this comment is more of a suggestion than a clear requirement. Additionally, the inconsistency with the checkout action (which also uses a tag) suggests this isn't a critical issue that must be addressed. Most GitHub Actions workflows use semantic version tags rather than commit hashes for maintainability. This comment should be deleted. It's a "nice to have" security suggestion using the word "Consider" rather than a clear code change requirement. The practice of using semantic version tags like @v1 is extremely common in GitHub Actions workflows, and the comment doesn't demonstrate that there's a specific security issue that must be addressed in this PR.
2. .github/workflows/claude-code-review.yml:56
  • Draft comment:
    Review the allowed tools list provided in 'claude_args'. Ensure that only the minimal necessary permissions are granted to reduce potential security exposure.
  • Reason this comment was not posted:
    Comment did not seem useful. Confidence is useful = 0% <= threshold 50% This comment is asking the PR author to review and ensure that only minimal necessary permissions are granted. It is not making a specific code suggestion or pointing out a specific issue in the code. It is more of a general cautionary note, which violates the rule against asking the author to ensure behavior is intended or to double-check things.
3. .github/workflows/claude.yml:15
  • Draft comment:
    The 'if:' condition checks for '@claude' mentions across multiple event types. Consider also restricting execution to users with write access to prevent potential abuse from unauthorized triggers.
  • Reason this comment was not posted:
    Decided after close inspection that this draft comment was likely wrong and/or not actionable: usefulness confidence = 20% vs. threshold = 50% This comment is suggesting a security improvement but uses the word "Consider", which makes it sound like a suggestion rather than identifying a clear bug. The rules state I should not make speculative comments like "If X, then Y is an issue" - this feels similar as it's saying "potential abuse" could happen. The comment doesn't provide strong evidence that this is definitely a problem - it's more of a best practice suggestion. However, it could be argued this is a legitimate security concern. But the key issue is: does this violate the rule about not commenting unless there's clearly a code change required? The comment says "Consider" which is not definitive. Also, this might be intentional behavior - maybe the repo wants anyone to be able to trigger Claude. Without knowing the security model of the claude-code-action itself, this feels speculative. The security concern might be legitimate - allowing any user to trigger workflows could be a real issue depending on what the Claude action does. The comment is actionable (add permission checks) and relates to changed code. Perhaps I'm being too strict in interpreting "speculative". While security is important, the comment uses "Consider" and mentions "potential abuse" without demonstrating that this is definitely a problem. The claude-code-action might have its own security controls, and the PR author may have intentionally designed it this way. This falls under speculative comments and doesn't show strong evidence of a definite issue. This comment should be deleted. It's a speculative security suggestion ("potential abuse") rather than identifying a definite issue, uses soft language ("Consider"), and doesn't provide strong evidence that the current implementation is wrong. The PR author may have intentionally designed it this way.

Workflow ID: wflow_bJXsYZJot1Ume74k

You can customize Ellipsis by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ellipsis-dev ellipsis-dev[bot] ellipsis-dev[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@milosgajdos