Conversation
Adds .github/workflows/claude.yml and claude-code-review.yml so @claude mentions in issues/PRs trigger the Claude Code GitHub Action. Requires the CLAUDE_CODE_OAUTH_TOKEN repo secret to be set before the workflow will run successfully. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
![tembo[bot]](https://avatars.githubusercontent.com/in/1223475?s=60&v=4){kind=small}
|
|
||
| jobs: | ||
| claude: | ||
| if: | |
There was a problem hiding this comment.
The current if: gate only checks for @claude. On a public repo, that means any user who can open an issue or leave a comment can trigger this workflow (and it will have access to CLAUDE_CODE_OAUTH_TOKEN). Consider restricting to trusted author_association values.
| if: | | |
| if: | | |
| ( | |
| github.event_name == 'issue_comment' && | |
| contains(github.event.comment.body, '@claude') && | |
| contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) | |
| ) || | |
| ( | |
| github.event_name == 'pull_request_review_comment' && | |
| contains(github.event.comment.body, '@claude') && | |
| contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) | |
| ) || | |
| ( | |
| github.event_name == 'pull_request_review' && | |
| contains(github.event.review.body, '@claude') && | |
| contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association) | |
| ) || | |
| ( | |
| github.event_name == 'issues' && | |
| (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) && | |
| contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association) | |
| ) |
| types: [created] | ||
| pull_request_review_comment: | ||
| types: [created] | ||
| issues: |
There was a problem hiding this comment.
Do you want this to run on issues: opened? That event can be triggered by anyone filing a new issue, and a simple @claude in the title/body would start a run. If the intent is only opt-in via comments/reviews, dropping the issues trigger (or tightening the if: even further for github.event_name == 'issues') would reduce noise and risk.
| # github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR' | ||
|
|
||
| runs-on: ubuntu-latest | ||
| permissions: |
There was a problem hiding this comment.
pull-requests: read means this job likely can't post review comments/status back to the PR. If the action is expected to leave feedback on the PR, you may need pull-requests: write (and possibly issues: write).
1 participant
🤖 Installing Claude Code GitHub App
This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.
What is Claude Code?
Claude Code is an AI coding agent that can help with:
How it works
Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.
Required before merge
This workflow requires a
CLAUDE_CODE_OAUTH_TOKENrepository secret, which is not yet set on this repo. Set it by either:/install-github-appin a Claude Code session rooted at a local checkout of this repo, orgh secret set CLAUDE_CODE_OAUTH_TOKEN -R NikolayS/REPO --body "<token>"Merging before the secret is set is safe — the workflow simply won't run successfully until the secret exists.
Important Notes
Security
There's more information in the Claude Code action repo.