Add claude GitHub actions 1774833604709#840
Conversation
There was a problem hiding this comment.
Pull request overview
Adds GitHub Actions workflows to integrate Anthropic’s Claude Code action for (1) ad-hoc invocation via @claude in issues/comments/reviews and (2) automatic PR code review runs.
Changes:
- Adds
claude.ymlworkflow to run Claude Code when@claudeis detected in issue/PR comments, PR reviews, or issues. - Adds
claude-code-review.ymlworkflow to run a Claude “code-review” plugin automatically on PR events.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
.github/workflows/claude.yml |
New workflow to trigger Claude Code from issue/PR interactions containing @claude. |
.github/workflows/claude-code-review.yml |
New workflow to run automated Claude-based code review on PR events. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | ||
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) |
There was a problem hiding this comment.
This workflow can be triggered by any user who can open an issue or comment (it only checks for '@claude'), but it passes a repository secret (CLAUDE_CODE_OAUTH_TOKEN) to the action. That makes it possible for untrusted users to trigger usage of the secret (cost/exfiltration risk). Restrict execution to trusted actors (e.g., check author_association for OWNER/MEMBER/COLLABORATOR) and/or remove the 'issues' trigger so only authorized collaborators can invoke it.
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | |
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) | |
| (github.event_name == 'issue_comment' && | |
| contains(github.event.comment.body, '@claude') && | |
| (github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'COLLABORATOR')) || | |
| (github.event_name == 'pull_request_review_comment' && | |
| contains(github.event.comment.body, '@claude') && | |
| (github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'COLLABORATOR')) || | |
| (github.event_name == 'pull_request_review' && | |
| contains(github.event.review.body, '@claude') && | |
| (github.event.review.author_association == 'OWNER' || github.event.review.author_association == 'MEMBER' || github.event.review.author_association == 'COLLABORATOR')) || | |
| (github.event_name == 'issues' && | |
| (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) && | |
| (github.event.issue.author_association == 'OWNER' || github.event.issue.author_association == 'MEMBER' || github.event.issue.author_association == 'COLLABORATOR')) |
| on: | ||
| pull_request: | ||
| types: [opened, synchronize, ready_for_review, reopened] | ||
| # Optional: Only run on specific file changes |
There was a problem hiding this comment.
This runs on the pull_request event but relies on secrets.CLAUDE_CODE_OAUTH_TOKEN. For PRs from forks, GitHub does not provide repository secrets to pull_request workflows, so this job will fail (and may block external contributions). Add a job-level guard to only run on same-repo PRs, or switch to an approach that safely supports forks (e.g., pull_request_target with strict safety constraints).
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c7e84330c0
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| name: Claude Code Review | ||
|
|
||
| on: | ||
| pull_request: |
There was a problem hiding this comment.
Guard Claude review workflow against fork pull requests
This job is triggered for every pull_request event but it authenticates only with secrets.CLAUDE_CODE_OAUTH_TOKEN; on fork-origin PRs, GitHub does not expose repository secrets (and related OIDC context), so the Claude step cannot authenticate and the review workflow fails consistently for external contributors. That turns the check into noise or a blocker on open-source contribution paths unless you explicitly skip forks or adopt a fork-safe pull_request_target pattern.
Useful? React with 👍 / 👎.
No description provided.