ci: add Claude Code GitHub workflow

[michen00]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

---

Note

Medium Risk
Introduces new GitHub Actions workflows that can run on PR and comment events using an external action and OIDC token permissions; misconfiguration could increase CI noise or permissions exposure.

Overview
Adds two new GitHub Actions workflows integrating anthropics/claude-code-action@v1.

claude.yml runs when issues/PRs are commented/reviewed with @claude, granting read permissions (including actions: read) plus id-token: write and optionally passing through additional permissions.

claude-code-review.yml adds an automated PR review job triggered on PR lifecycle events, invoking the code-review plugin with a fixed /code-review:code-review prompt against the current PR.

^{Written by Cursor Bugbot for commit ffa79c2. Configure here.}

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ffa79c2494

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Guard secret-backed review job on forked pull requests

This workflow runs on pull_request events but unconditionally injects secrets.CLAUDE_CODE_OAUTH_TOKEN; for PRs opened from forks, GitHub does not expose repository secrets to the run, so the Claude step will fail on every synchronize/update from external contributors instead of producing a review. Because this repo already accepts first-time/external PRs, this creates a recurring red CI signal unless the job is explicitly skipped for forks (or moved to a safe pull_request_target design).

Useful? React with 👍 / 👎.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

This PR is being reviewed by Cursor Bugbot

Details

Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[cursor]

Wrong marketplace name in plugin reference breaks review

High Severity

The plugins value references marketplace claude-code-plugins, but the actual marketplace name for https://github.com/anthropics/claude-code.git is anthropics/claude-code. The official plugin install syntax is plugin-name@anthropics/claude-code (e.g., /plugin install agent-sdk-dev@anthropics/claude-code), so the plugins field here needs to be code-review@anthropics/claude-code. Using the non-existent claude-code-plugins marketplace name will prevent the code-review plugin from being resolved, causing the entire code review workflow to fail silently or with an error on every PR.

 

[Copilot]

Pull request overview

Adds GitHub Actions workflows to integrate the anthropics/claude-code-action into the repo, enabling “@claude”-triggered runs and an automated PR review job.

Changes:

• Add a comment/review/issue-triggered workflow that runs Claude Code when @claude is mentioned.
• Add an automated “Claude Code Review” workflow that runs on PR lifecycle events and invokes the code-review plugin.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.

File	Description
.github/workflows/claude.yml	New workflow to run Claude when @claude appears in issue/PR comments or reviews.
.github/workflows/claude-code-review.yml	New workflow to automatically run Claude-based code review on PR events.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The job-level if only checks for an @claude mention, so any GitHub user who can comment on an issue/PR can trigger this workflow and cause repository secrets (e.g., CLAUDE_CODE_OAUTH_TOKEN) to be used. This contradicts the PR description’s claim that only users with write access can trigger it and is a security/cost risk. Add an authorization gate (e.g., require author_association in OWNER|MEMBER|COLLABORATOR / check repo permissions via API) in addition to the mention check.

Suggested change

	(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
	(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
	(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
	(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
	(
	(
	github.event_name == 'issue_comment' &&
	(
	github.event.comment.author_association == 'OWNER' ||
	github.event.comment.author_association == 'MEMBER' ||
	github.event.comment.author_association == 'COLLABORATOR'
	)
	) ||
	(
	github.event_name == 'pull_request_review_comment' &&
	(
	github.event.comment.author_association == 'OWNER' ||
	github.event.comment.author_association == 'MEMBER' ||
	github.event.comment.author_association == 'COLLABORATOR'
	)
	) ||
	(
	github.event_name == 'pull_request_review' &&
	(
	github.event.review.author_association == 'OWNER' ||
	github.event.review.author_association == 'MEMBER' ||
	github.event.review.author_association == 'COLLABORATOR'
	)
	) ||
	(
	github.event_name == 'issues' &&
	(
	github.event.issue.author_association == 'OWNER' ||
	github.event.issue.author_association == 'MEMBER' ||
	github.event.issue.author_association == 'COLLABORATOR'
	)
	)
	) &&
	(
	(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
	(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
	(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
	(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
	)

[Copilot]

issues is configured to trigger on assigned, but the job condition only checks the issue title/body for @claude. Assigning an issue won’t change those fields, so this will create unnecessary (skipped) workflow runs and CI noise. Consider removing assigned from the trigger types (or adjust the condition to match what you actually want to run on assignment).

Suggested change

	types: [opened, assigned]
	types: [opened]

[Copilot]

This workflow uses CLAUDE_CODE_OAUTH_TOKEN, but pull_request workflows from forks do not receive repository secrets. As written, runs for forked PRs will fail at this step (and could block contributors if the check is required). Add a job-level guard to skip forks (e.g., require github.event.pull_request.head.repo.full_name == github.repository) or otherwise handle missing secrets explicitly.

[Copilot]

There is no concurrency configured for this job. On rapid successive pushes to a PR, multiple synchronize events will queue redundant Claude review runs in parallel, increasing CI noise and token usage. Consider adding a per-PR concurrency group with cancel-in-progress: true (similar to other workflows in this repo).

Suggested change

	concurrency:
	group: claude-review-${{ github.repository }}-pr-${{ github.event.pull_request.number }}
	cancel-in-progress: true

[Copilot]

Repo workflows consistently use actions/checkout@v6 (e.g., .github/workflows/CI.yml). To keep versions consistent (and pick up the latest fixes/features already adopted here), update this workflow to use actions/checkout@v6 as well.

Suggested change

	uses: actions/checkout@v4
	uses: actions/checkout@v6

[Copilot]

Repo workflows consistently use actions/checkout@v6 (e.g., .github/workflows/CI.yml). To keep versions consistent (and pick up the latest fixes/features already adopted here), update this workflow to use actions/checkout@v6 as well.

Suggested change

	uses: actions/checkout@v4
	uses: actions/checkout@v6