ci: Add Claude Code GitHub Workflow

[edenreich]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

[claude]

Claude finished @edenreich's task —— View job

---

Code Review Analysis

I've thoroughly reviewed both GitHub Actions workflow files in this PR. Here's my comprehensive feedback:

Todo List

• Read and analyze both workflow files
• Review security considerations
• Check GitHub Actions best practices
• Assess code quality and configuration
• Provide comprehensive feedback

---

Overall Assessment: ✅ APPROVED

This is a well-structured PR that adds Claude Code integration with good security practices and clear documentation.

🔒 Security Review

Strengths:

• ✅ Uses secrets.CLAUDE_CODE_OAUTH_TOKEN for secure API key storage
• ✅ Minimal required permissions (contents: read, pull-requests: read, issues: read)
• ✅ Uses id-token: write for OIDC authentication
• ✅ Proper conditional logic prevents unauthorized execution
• ✅ Uses official Anthropic action (anthropics/claude-code-action@beta)

Considerations:

• The @beta tag should eventually be updated to a specific version for better security and stability
• Consider adding actions: read permission to the review workflow if CI integration is needed

📝 Code Quality & Best Practices

Excellent practices implemented:

1. Workflow Structure - Clean, well-organized YAML with proper indentation
2. Documentation - Comprehensive inline comments explaining optional configurations
3. Conditional Execution - Smart trigger conditions prevent unnecessary runs
4. Resource Efficiency - fetch-depth: 1 for faster checkouts
5. Separation of Concerns - Two distinct workflows for different use cases:
   • claude.yml: Interactive @claude mentions
   • claude-code-review.yml: Automated PR reviews

🚀 Performance Considerations

Optimizations present:

• ✅ fetch-depth: 1 reduces checkout time
• ✅ Conditional job execution prevents wasteful runs
• ✅ Ubuntu-latest for consistent, fast runner environment

Potential improvements:

• Consider adding path filters in claude-code-review.yml (lines 6-11 are commented) to only run on relevant file changes
• The automated review runs on every PR - consider adding size or complexity filters for large repositories

🏗️ Configuration Quality

Well-designed features:

1. Flexible Triggering: Multiple event types (comments, reviews, issues)
2. Customizable Prompts: Direct prompt configuration for automated reviews
3. Tool Extensibility: Ready for allowed_tools configuration
4. Model Selection: Easy model switching capability

📋 Specific Recommendations

Minor Improvements:

1. Pin Action Version (.github/workflows/claude.yml:35, .github/workflows/claude-code-review.yml:36):

   # Current
   uses: anthropics/claude-code-action@beta
   
   # Recommended (when available)
   uses: anthropics/claude-code-action@v1.0.0

2. Consider Path Filtering (.github/workflows/claude-code-review.yml:6-11):
   Uncomment and customize path filters to prevent reviews on documentation-only changes:

   paths:
     - "src/**"
     - "lib/**"
     - "*.go"  # Based on Go SDK context

3. Add Workflow Concurrency Control:

   concurrency:
     group: claude-${{ github.ref }}
     cancel-in-progress: true

Optional Enhancements for Future:

1. Custom Instructions: Consider adding project-specific guidelines
2. Allowed Tools: Add Go-specific commands based on CLAUDE.md:

   allowed_tools: "Bash(task test),Bash(task lint),Bash(go fmt ./...)"

🧪 Test Coverage

Current state: No traditional tests needed for workflow files, but consider:

• Testing the workflows in a staging environment before production use
• The workflows will be validated by GitHub Actions parser automatically

🎯 Summary

This PR successfully implements Claude Code integration with:

• ✅ Strong security practices
• ✅ Clean, maintainable code structure
• ✅ Comprehensive documentation
• ✅ Flexible configuration options
• ✅ Performance-conscious design

The implementation follows GitHub Actions best practices and provides a solid foundation for AI-assisted development in this repository.

Recommendation: Merge after addressing the minor version pinning suggestion or merge as-is if you prefer to stay on the beta channel for latest features.

[github-actions]

🎉 This PR is included in version 1.11.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀