Add Claude Code GitHub Workflow

[rmartin93]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

[claude]

PR Review - Claude Code GitHub Workflow

Summary

PR adds 2 GitHub Actions workflows for Claude Code integration: automated PR reviews + @claude mention responses. Config aligns w/ repo's concise style principles.

✅ Strengths

Security:

• OAuth token properly stored as secret
• Minimal permissions (read-only + id-token)
• Scoped tool allowlist in code-review workflow
• Protected against unauthorized triggers (write access required)

Code Quality:

• Clean YAML syntax
• Well-commented optional filters
• Follows GitHub Actions best practices
• Appropriate checkout depth (1)

Architecture:

• Separation of concerns (review vs mention-driven)
• Efficient triggers (synchronize + opened only)
• Proper event filtering in conditions

🔍 Observations

claude-code-review.yml:

• Runs on all PRs regardless of author/size
• No tool restrictions = full file system access
• Will review itself recursively (this PR + future workflow changes)

claude.yml:

• No tool allowlist = unrestricted capabilities
• actions: read permission may be unused if not querying CI
• Runs on issue assignments even w/o @claude mention

💡 Recommendations

Performance/Cost:

1. Add PR size filter to review workflow (skip large refactors):

if: github.event.pull_request.changed_files < 50

2. Skip workflow file reviews (prevent recursion):

paths-ignore:
  - ".github/workflows/**"

Security Hardening:
3. Add tool allowlist to claude.yml (match code-review pattern)

4. Consider removing issues.assigned trigger (line 9) - only fires on assignment, not @claude mentions

Clarity:
5. Workflow naming: claude-code-review.yml vs claude.yml - suggest claude-pr-review.yml + claude-mention.yml for clarity

🎯 Verdict

Approve with minor suggestions. Workflows are functional + secure. Recommendations optimize for cost/performance + prevent edge cases. Can merge as-is or iterate - both valid given repo's experimental nature (generic/ pattern).

Priority: Consider #1 (size filter) + #2 (paths-ignore) to avoid expensive reviews on large/meta PRs.