Skip to content

Add claude GitHub actions 1774833604709#840

Merged
tanghaibao merged 2 commits into
mainfrom
add-claude-github-actions-1774833604709
Mar 30, 2026
Merged

Add claude GitHub actions 1774833604709#840
tanghaibao merged 2 commits into
mainfrom
add-claude-github-actions-1774833604709

Conversation

@tanghaibao

Copy link
Copy Markdown
Owner

No description provided.

Copilot AI review requested due to automatic review settings March 30, 2026 01:21

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds GitHub Actions workflows to integrate Anthropic’s Claude Code action for (1) ad-hoc invocation via @claude in issues/comments/reviews and (2) automatic PR code review runs.

Changes:

  • Adds claude.yml workflow to run Claude Code when @claude is detected in issue/PR comments, PR reviews, or issues.
  • Adds claude-code-review.yml workflow to run a Claude “code-review” plugin automatically on PR events.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
.github/workflows/claude.yml New workflow to trigger Claude Code from issue/PR interactions containing @claude.
.github/workflows/claude-code-review.yml New workflow to run automated Claude-based code review on PR events.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +16 to +19
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))

Copilot AI Mar 30, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow can be triggered by any user who can open an issue or comment (it only checks for '@claude'), but it passes a repository secret (CLAUDE_CODE_OAUTH_TOKEN) to the action. That makes it possible for untrusted users to trigger usage of the secret (cost/exfiltration risk). Restrict execution to trusted actors (e.g., check author_association for OWNER/MEMBER/COLLABORATOR) and/or remove the 'issues' trigger so only authorized collaborators can invoke it.

Suggested change
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
(github.event_name == 'issue_comment' &&
contains(github.event.comment.body, '@claude') &&
(github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'COLLABORATOR')) ||
(github.event_name == 'pull_request_review_comment' &&
contains(github.event.comment.body, '@claude') &&
(github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'COLLABORATOR')) ||
(github.event_name == 'pull_request_review' &&
contains(github.event.review.body, '@claude') &&
(github.event.review.author_association == 'OWNER' || github.event.review.author_association == 'MEMBER' || github.event.review.author_association == 'COLLABORATOR')) ||
(github.event_name == 'issues' &&
(contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) &&
(github.event.issue.author_association == 'OWNER' || github.event.issue.author_association == 'MEMBER' || github.event.issue.author_association == 'COLLABORATOR'))

Copilot uses AI. Check for mistakes.
Comment on lines +3 to +6
on:
pull_request:
types: [opened, synchronize, ready_for_review, reopened]
# Optional: Only run on specific file changes

Copilot AI Mar 30, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This runs on the pull_request event but relies on secrets.CLAUDE_CODE_OAUTH_TOKEN. For PRs from forks, GitHub does not provide repository secrets to pull_request workflows, so this job will fail (and may block external contributions). Add a job-level guard to only run on same-repo PRs, or switch to an approach that safely supports forks (e.g., pull_request_target with strict safety constraints).

Copilot uses AI. Check for mistakes.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c7e84330c0

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

name: Claude Code Review

on:
pull_request:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Guard Claude review workflow against fork pull requests

This job is triggered for every pull_request event but it authenticates only with secrets.CLAUDE_CODE_OAUTH_TOKEN; on fork-origin PRs, GitHub does not expose repository secrets (and related OIDC context), so the Claude step cannot authenticate and the review workflow fails consistently for external contributors. That turns the check into noise or a blocker on open-source contribution paths unless you explicitly skip forks or adopt a fork-safe pull_request_target pattern.

Useful? React with 👍 / 👎.

@tanghaibao tanghaibao merged commit 5e48c50 into main Mar 30, 2026
12 of 13 checks passed
@tanghaibao tanghaibao deleted the add-claude-github-actions-1774833604709 branch March 30, 2026 01:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants