Add Claude Code GitHub Workflow

[justin808]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

[coderabbitai]

Warning

Rate limit exceeded

@justin808 has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 17 minutes and 44 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 0e26f49 and 68a7266.

📒 Files selected for processing (2)

• .github/workflows/claude-code-review.yml (1 hunks)
• .github/workflows/claude.yml (1 hunks)

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch add-claude-github-actions-1762125026808

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Code Review: Claude Code GitHub Workflow

Thank you for adding Claude Code integration to this repository! I've reviewed the two workflow files and have the following feedback:

✅ Strengths

1. Security-conscious permissions: Both workflows follow the principle of least privilege, requesting only necessary permissions
2. Consistent with existing workflows: Uses actions/checkout@v4 and follows similar patterns to existing CI workflows
3. Well-documented PR description: Clear explanation of what Claude Code does and how it works
4. Appropriate triggers: The workflows are triggered on relevant events (comments with @claude mentions, PR opened/synchronize)

🔍 Code Quality & Best Practices

.github/workflows/claude.yml

Positive:

• Good use of conditional logic to filter for @claude mentions across multiple event types
• Includes actions: read permission for CI results access
• Proper fetch-depth setting (shallow clone)

Suggestions:

1. Version consistency: Consider upgrading to actions/checkout@v5 to match your other workflows (checks.yml uses v5, this uses v4)
2. Commented code: The commented prompt and claude_args examples are helpful documentation

.github/workflows/claude-code-review.yml

Positive:

• Well-structured prompt with clear review criteria
• Appropriate gh command restrictions via allowed-tools
• Helpful commented examples for filtering by paths and authors

Concerns:

1. Version inconsistency: Uses actions/checkout@v4 while checks.yml uses v5

2. Missing concurrency control: Unlike checks.yml which has:

   concurrency:
     group: ${{ github.ref }}
     cancel-in-progress: true

   This workflow could trigger multiple concurrent runs on rapid pushes, potentially wasting resources and creating duplicate review comments

3. No trigger filtering: This runs on ALL PRs (opened/synchronize). Consider:

   • Adding path filters if only certain files need review (the commented example is good, but consider uncommenting if relevant)
   • Adding author/association filters to avoid reviewing trusted maintainers
   • Potential cost implications of running AI reviews on every PR update

⚡ Performance Considerations

1. Fetch depth: fetch-depth: 1 is optimal - good choice
2. Concurrent execution: Add concurrency control to prevent multiple simultaneous reviews on the same PR:

   concurrency:
     group: claude-review-${{ github.event.pull_request.number }}
     cancel-in-progress: true

🔒 Security Assessment

Good practices:

• ✅ Secrets properly referenced via secrets.CLAUDE_CODE_OAUTH_TOKEN
• ✅ Limited tool access via allowed-tools parameter
• ✅ Read-only permissions for contents, PRs, and issues
• ✅ Explicit permission boundaries

Recommendations:

1. Consider adding write restrictions: The PR description mentions "Only users with write access to the repository can trigger the workflow" - this is enforced by GitHub Actions for issue_comment triggers, but it's worth noting that pull_request triggers (in claude-code-review.yml) run for external contributors' PRs
2. Review scope: Ensure the team is comfortable with Claude having access to full PR context and diffs

📝 Test Coverage

Missing:

• No tests for the workflows themselves (this is common but consider testing with a test PR post-merge)
• Documentation doesn't mention how to test/verify the workflows work correctly

Recommendation:
After merging, create a test PR or issue to verify both workflows function as expected.

🎯 Overall Assessment

This is a well-implemented addition that follows GitHub Actions best practices. The main improvements would be:

1. Critical: Add concurrency control to claude-code-review.yml to prevent duplicate runs
2. Recommended: Upgrade actions/checkout to v5 for consistency
3. Consider: Add trigger filters to claude-code-review.yml to control when reviews run

Suggested Changes

# Add to claude-code-review.yml after 'on:' section
concurrency:
  group: claude-review-${{ github.event.pull_request.number }}
  cancel-in-progress: true

# Update checkout version in both files
- name: Checkout repository
  uses: actions/checkout@v5  # Changed from v4
  with:
    fetch-depth: 1

Verdict: Approve with minor recommendations for follow-up improvements. The workflows are functional and secure as-is, but would benefit from the concurrency control addition.

---

Review performed by Claude Code

[G-Rath]

@justin808 this got merged with a failing CI - can you please do another PR reformatting the file with Prettier?