Add Claude Code GitHub Workflow

[rustatian]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

Summary by CodeRabbit

• New Features
  • Automated code reviews now run on pull requests
  • Code reviews can be triggered on-demand by mentioning @claude in comments or reviews

[coderabbitai]

📝 Walkthrough

Walkthrough

Two GitHub Actions workflows are introduced to automate code review using the Anthropic Claude Code action. One workflow runs on pull request events (opened, synchronized, ready for review, reopened), while the other activates when comments or review comments contain the @claude mention, enabling on-demand code analysis.

Changes

Cohort / File(s)	Summary
Claude Code Review Workflow .github/workflows/claude-code-review.yml	Introduces automated code review on PR events with Claude Code action, configured with OAuth token, marketplace plugins, and custom prompt referencing repository and PR context.
Claude Code Workflow .github/workflows/claude.yml	Introduces on-demand code analysis triggered by @claude mentions in comments and reviews, with conditional logic to activate based on event type and badge presence.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Two workflows hop into place,
Claude now reviews at lightning pace!
Pull requests and comments with mentions so bright,
Code reviews automated—pure delight!
Fast, thorough, and always polite! 🎯

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is well-structured, informative, and explains the purpose and functionality, but does not follow the required template sections (Reason for This PR, Description of Changes, License Acceptance, PR Checklist).	Restructure the description to include all template sections: Reason for This PR (with issue # or explanation), Description of Changes, License Acceptance statement, and completed PR Checklist items.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding Claude Code GitHub workflows to the repository.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch add-claude-github-actions-1772635156611

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Adds GitHub Actions workflows to integrate Anthropic’s Claude Code into the repo for (1) responding to @claude mentions in issues/PR comments and (2) running an automated Claude-based PR review job.

Changes:

• Added a Claude Code workflow that triggers on issue/PR comment and review events when @claude is detected.
• Added a Claude Code Review workflow that runs an automated code review plugin on PR open/update-related events.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 8 comments.

File	Description
.github/workflows/claude.yml	Introduces an @claude-mention-triggered workflow for issues/PR comments/reviews.
.github/workflows/claude-code-review.yml	Introduces an automatic PR code-review workflow using Claude Code plugins.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

.github/workflows/claude.yml (1)

15-20: Gate @claude execution by trusted author association at workflow level.

Current condition only checks mention text. Adding an author_association gate avoids unnecessary runner starts from external users and reduces abuse/cost surface before the action is invoked.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude.yml around lines 15 - 20, Update the workflow `if`
condition to require that the mention comes from a trusted author_association in
addition to containing '@claude': for the issue_comment and
pull_request_review_comment branches check
github.event.comment.author_association is one of trusted values (e.g., OWNER,
MEMBER, COLLABORATOR, CONTRIBUTOR) before allowing the runner to start; for
pull_request_review check github.event.review.author_association similarly; and
for issues check github.event.issue.author_association. Keep the existing
contains(...) mention checks but add the author_association guards to each event
clause in the `if` block to gate execution by trusted authors.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/claude-code-review.yml:
- Line 30: Replace the mutable action tags with immutable commit SHAs: locate
the workflow entries that reference uses: actions/checkout@v4 and uses:
anthropics/claude-code-action@v1 and update each to the corresponding full
commit SHA for that release (e.g., uses: actions/checkout@<full-commit-sha> and
uses: anthropics/claude-code-action@<full-commit-sha>) so the workflow pins to
exact commits and prevents supply-chain drift.
- Around line 4-5: The workflow triggers on pull_request but references the
secret CLAUDE_CODE_OAUTH_TOKEN, which is inaccessible for forked PRs; add a
fork-PR guard by adding a job-level condition that only runs when the PR head
repo equals the base repo (e.g. if:
github.event.pull_request.head.repo.full_name == github.repository) around the
job that uses CLAUDE_CODE_OAUTH_TOKEN so external fork PRs are skipped and don't
attempt to access the secret.

In @.github/workflows/claude.yml:
- Line 29: Replace floating action tags with exact commit SHAs: change usages of
actions/checkout@v4 and anthropics/claude-code-action@v1 to their corresponding
commit SHAs (e.g., actions/checkout@<commit-sha>,
anthropics/claude-code-action@<commit-sha>) so the workflow pins the exact
commits; update the two occurrences (the actions/checkout and
anthropics/claude-code-action entries) to use verified commit SHAs instead of
the v4/v1 tags.

---

Nitpick comments:
In @.github/workflows/claude.yml:
- Around line 15-20: Update the workflow `if` condition to require that the
mention comes from a trusted author_association in addition to containing
'@claude': for the issue_comment and pull_request_review_comment branches check
github.event.comment.author_association is one of trusted values (e.g., OWNER,
MEMBER, COLLABORATOR, CONTRIBUTOR) before allowing the runner to start; for
pull_request_review check github.event.review.author_association similarly; and
for issues check github.event.issue.author_association. Keep the existing
contains(...) mention checks but add the author_association guards to each event
clause in the `if` block to gate execution by trusted authors.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b1a615be-2aa2-43e3-a7fd-89c03f1f84ac

📥 Commits

Reviewing files that changed from the base of the PR and between 49fcca0 and 5418bcb.

📒 Files selected for processing (2)

• .github/workflows/claude-code-review.yml
• .github/workflows/claude.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/claude-code-review.yml

Repository: roadrunner-server/http

Length of output: 1806

---

Add fork PR guard to prevent secret access failures on external PRs.

The workflow triggers on all PRs (line 4) but line 38 requires CLAUDE_CODE_OAUTH_TOKEN secret, which is inaccessible during fork PR runs. This causes predictable failures and blocks the external contribution flow. Add the fork guard to skip the job on fork PRs:

jobs:
  claude-review:
+   if: ${{ github.event.pull_request.head.repo.fork == false }}
    runs-on: ubuntu-latest

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude-code-review.yml around lines 4 - 5, The workflow
triggers on pull_request but references the secret CLAUDE_CODE_OAUTH_TOKEN,
which is inaccessible for forked PRs; add a fork-PR guard by adding a job-level
condition that only runs when the PR head repo equals the base repo (e.g. if:
github.event.pull_request.head.repo.full_name == github.repository) around the
job that uses CLAUDE_CODE_OAUTH_TOKEN so external fork PRs are skipped and don't
attempt to access the secret.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/claude-code-review.yml | sed -n '25,40p'

Repository: roadrunner-server/http

Length of output: 668

---

Pin Actions to immutable commit SHAs instead of floating tags.

Both actions/checkout@v4 (line 30) and anthropics/claude-code-action@v1 (line 36) use mutable version tags. Pin to full commit SHAs to prevent supply chain drift—floating tags can be retargeted by upstream maintainers without your knowledge, potentially executing unintended code in workflows with elevated permissions.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude-code-review.yml at line 30, Replace the mutable
action tags with immutable commit SHAs: locate the workflow entries that
reference uses: actions/checkout@v4 and uses: anthropics/claude-code-action@v1
and update each to the corresponding full commit SHA for that release (e.g.,
uses: actions/checkout@<full-commit-sha> and uses:
anthropics/claude-code-action@<full-commit-sha>) so the workflow pins to exact
commits and prevents supply-chain drift.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/claude.yml

Repository: roadrunner-server/http

Length of output: 2301

---

Pin workflow actions to commit SHAs instead of floating tags.

Line 29 uses actions/checkout@v4 and line 35 uses anthropics/claude-code-action@v1. Floating tags can be force-pushed or compromised. Pin these to exact commit SHAs (e.g., actions/checkout@a5ac7e51b41094c5405359c97429f3dd38146b4a) for stronger CI supply-chain security guarantees.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude.yml at line 29, Replace floating action tags with
exact commit SHAs: change usages of actions/checkout@v4 and
anthropics/claude-code-action@v1 to their corresponding commit SHAs (e.g.,
actions/checkout@<commit-sha>, anthropics/claude-code-action@<commit-sha>) so
the workflow pins the exact commits; update the two occurrences (the
actions/checkout and anthropics/claude-code-action entries) to use verified
commit SHAs instead of the v4/v1 tags.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0.00%. Comparing base (49fcca0) to head (5418bcb).

Additional details and impacted files

@@      Coverage Diff      @@
##   master   #224   +/-   ##
=============================
=============================

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.