ci: Add Claude Code GitHub Workflow

[edenreich]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

[claude]

Claude finished @edenreich's task —— View job

---

PR Review: Claude Code GitHub Workflows

I've completed my review of the two GitHub workflow files. Overall, this is a well-structured implementation with good security practices, but there are several areas for improvement.

✅ Strengths

Security:

• Proper use of minimal required permissions in both workflows
• Secure handling of OAuth token via GitHub secrets
• No hardcoded credentials or sensitive data
• Appropriate id-token: write for OIDC authentication

Code Quality:

• Clean, readable YAML structure
• Good use of comments explaining optional configurations
• Consistent naming conventions

🔍 Areas for Improvement

Security Considerations

1. Action Version Pinning (.github/workflows/claude-code-review.yml:36, .github/workflows/claude.yml:35)

   uses: anthropics/claude-code-action@beta

   Issue: Using @beta tag is less secure than pinning to a specific commit SHA
   Recommendation: Pin to specific commit SHA for better security and reproducibility:

   uses: anthropics/claude-code-action@v1.2.3  # or specific commit SHA

2. Checkout Action Version (Both files, lines 30)

   uses: actions/checkout@v4

   Recommendation: Pin to specific version like actions/checkout@v4.1.1

Performance Considerations

1. Fetch Depth (.github/workflows/claude-code-review.yml:32, .github/workflows/claude.yml:31)

   fetch-depth: 1

   Good: Using shallow clone optimizes performance for code review use case

2. Conditional Logic (.github/workflows/claude.yml:15-19)
   Good: Efficient conditional logic prevents unnecessary workflow runs

Best Practices & Potential Issues

1. Missing Timeout Protection

   timeout-minutes: 30  # Add to both jobs

   Issue: No timeout specified could lead to workflows running indefinitely
   Impact: Potential CI/CD resource waste

2. PR Trigger Events (.github/workflows/claude-code-review.yml:4-5)

   on:
     pull_request:
       types: [opened, synchronize]

   Consideration: Missing reopened event type - users might expect reviews when reopening PRs

3. Commented Code Cleanup
   Issue: Extensive commented-out sections (lines 6-11, 15-19, 40-78 in claude-code-review.yml)
   Recommendation: Consider removing or moving to documentation to keep workflows cleaner

4. Error Handling
   Missing: No explicit error handling or failure notifications
   Suggestion: Consider adding steps to handle authentication failures or action timeouts

Go-Specific Considerations

Based on the repository's Go/Kubernetes operator context:

1. Missing Go-Specific Tools

   # Suggestion for claude.yml
   allowed_tools: "Bash(go mod tidy),Bash(go fmt),Bash(go vet),Bash(task lint),Bash(task test)"

2. Custom Instructions for Go Project

   # Suggestion for claude.yml
   custom_instructions: |
     Follow Go best practices and the project's CLAUDE.md guidelines
     Use the Task runner for builds and tests
     Ensure code passes linting and formatting checks

Test Coverage

Missing: No integration with existing test infrastructure
Recommendation: Consider allowing Claude to run the project's test suite:

allowed_tools: "Bash(task test),Bash(task lint),Bash(task build)"

🎯 Recommended Changes

1. Pin action versions to specific releases
2. Add timeout protection (30 minutes suggested)
3. Add reopened to PR trigger events
4. Clean up commented code sections
5. Add Go-specific allowed tools
6. Consider adding custom instructions referencing CLAUDE.md

📊 Overall Assessment

Code Quality: ⭐⭐⭐⭐ (4/5)
Security: ⭐⭐⭐⭐ (4/5)
Performance: ⭐⭐⭐⭐⭐ (5/5)
Maintainability: ⭐⭐⭐ (3/5)

This is a solid foundation for Claude Code integration with good security practices. The main improvements focus on production hardening and project-specific customization.

[ig-semantic-release-bot]

🎉 This PR is included in version 0.10.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀