marketing-shibata50/claude-code-ultimate-guide
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

docs: add GitHub Actions workflow guide + desloppify + threat-db v2.7.0

Browse source 
- guide/workflows/github-actions.md (new): 5 production patterns with
  claude-code-action (on-demand @claude, auto push review, issue triage,
  security review, scheduled maintenance), auth alternatives, cost control
- guide/ultimate-guide.md: GitHub Actions cross-ref + desloppify tool
  (vibe code quality fix-loop, community tool, ~2K stars, Feb 2026)
- examples/commands/resources/threat-db.yaml: v2.7.0, +5 threat sources
  (Azure MCP SSRF CVE-2026-26118, OpenClaw, Taskflow, Codex Security,
  DryRun Security 87% vulnerability stat)
- CLAUDE.md: Behavioral Rules section (5 rules from observed friction)
- guide/workflows/README.md: github-actions entry + quick selection row
- IDEAS.md: CI/CD Workflows Gallery marked complete
- CHANGELOG.md: [Unreleased] entries for all items

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Florian BRUNIAUX 2026-03-13 17:19:18 +01:00
parent aafb412fa4
commit b0698bfb39
7 changed files with 564 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

393
guide/workflows/github-actions.md Normal file
View file

@ -0,0 +1,393 @@
---
title: "GitHub Actions Workflows with Claude Code"
description: "Production-ready patterns for automating PR reviews, issue triage, and quality gates with claude-code-action"
tags: [workflow, ci-cd, github-actions, automation]
---
# GitHub Actions Workflows with Claude Code
> **Confidence**: Tier 1 — Official Anthropic action (`anthropics/claude-code-action`, 6.2k stars, v1.0).
Automate code reviews, issue triage, and quality gates by connecting Claude directly to your GitHub workflow. Two trigger models: `@claude` mentions (human-initiated) and scheduled/event automations (fully autonomous).
---
## Table of Contents
1. [TL;DR](#tldr)
2. [Two Models](#two-models)
3. [Setup](#setup)
4. [Pattern 1: PR Code Review on @claude Mention](#pattern-1-pr-code-review-on-claude-mention)
5. [Pattern 2: Automatic PR Review on Push](#pattern-2-automatic-pr-review-on-push)
6. [Pattern 3: Issue Triage and Labeling](#pattern-3-issue-triage-and-labeling)
7. [Pattern 4: Security-Focused Review](#pattern-4-security-focused-review)
8. [Pattern 5: Scheduled Repo Maintenance](#pattern-5-scheduled-repo-maintenance)
9. [Authentication Alternatives](#authentication-alternatives)
10. [Cost Control](#cost-control)
11. [Security Checklist](#security-checklist)
12. [See Also](#see-also)
---
## TL;DR
```yaml
# Minimal working example — paste into .github/workflows/claude.yml
name: Claude Code Review
on:
issue_comment:
types: [created]
jobs:
claude:
if: contains(github.event.comment.body, '@claude')
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
issues: write
steps:
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
```
Comment `@claude review this PR` on any PR → Claude reads the diff and posts a review.
---
## Two Models
| Model | Trigger | Use case |
|-------|---------|----------|
| **Interactive** | `@claude` mention in PR/issue comment | On-demand reviews, questions, fixes |
| **Automated** | Push, PR open, schedule, label | Continuous quality gates, triage |
Both use the same action — the difference is the `on:` block and whether you include an `if:` condition.
---
## Setup
### Quickstart (30 seconds)
In your Claude Code terminal, inside any project connected to a GitHub repo:
```
/install-github-app
```
This guides you through creating the GitHub App, adding `ANTHROPIC_API_KEY` to your repo secrets, and generating the base `claude.yml` workflow.
### Manual Setup
1. Add `ANTHROPIC_API_KEY` to your GitHub repository secrets
2. Create `.github/workflows/claude.yml` (see patterns below)
3. Grant the workflow permissions: `contents: write`, `pull-requests: write`, `issues: write`
---
## Pattern 1: PR Code Review on @claude Mention
Human-initiated. A developer comments `@claude review this PR` and Claude responds inline.
```yaml
# .github/workflows/claude-review.yml
name: Claude Interactive Review
on:
issue_comment:
types: [created, edited]
pull_request_review_comment:
types: [created]
jobs:
claude:
if: |
contains(github.event.comment.body, '@claude') ||
contains(github.event.review_comment.body, '@claude')
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
issues: write
steps:
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
claude_env: |
GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
```
**Usage examples:**
- `@claude review this PR` — full diff analysis with suggestions
- `@claude is this change backwards compatible?` — targeted question
- `@claude fix the failing test in src/auth.test.ts` — Claude opens a follow-up PR with the fix
---
## Pattern 2: Automatic PR Review on Push
Every PR gets a review the moment it opens or updates. No mention required.
```yaml
# .github/workflows/claude-auto-review.yml
name: Claude Auto PR Review
on:
pull_request:
types: [opened, synchronize]
# Optional: only trigger on specific paths
# paths:
# - 'src/**'
# - '!**/*.md'
jobs:
claude-review:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt: |
Review this pull request. Focus on:
- Logic errors and edge cases
- Security issues (injection, auth, secrets)
- Performance regressions
- Missing error handling
Format your response as:
## Summary
One paragraph describing the change.
## Issues Found
Numbered list, severity (Critical/Major/Minor), file:line reference.
## Suggestions
Optional improvements.
Keep it under 400 words. Be direct.
```
**Tip**: Add `paths:` to avoid triggering on doc-only PRs, or `if: github.event.pull_request.draft == false` to skip drafts.
---
## Pattern 3: Issue Triage and Labeling
Claude reads new issues, assigns labels, and posts a structured triage comment.
```yaml
# .github/workflows/claude-triage.yml
name: Issue Triage
on:
issues:
types: [opened]
jobs:
triage:
runs-on: ubuntu-latest
permissions:
issues: write
contents: read
steps:
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt: |
Triage this GitHub issue:
1. Assign one label from: bug, enhancement, question, documentation, performance, security
2. Assign a priority label: priority:critical, priority:high, priority:medium, priority:low
3. Post a comment with:
- Issue type classification
- Which component is likely affected (based on the issue description)
- Next step recommendation for the reporter (reproduce steps needed? version info missing?)
Be brief. One sentence per point.
```
---
## Pattern 4: Security-Focused Review
Runs specifically for PRs touching sensitive paths (auth, payments, config).
```yaml
# .github/workflows/claude-security.yml
name: Security Review
on:
pull_request:
paths:
- 'src/auth/**'
- 'src/payments/**'
- '**/config/**'
- '**/.env*'
- '**/secrets/**'
jobs:
security-review:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt: |
Perform a security-focused review of this PR. Check for:
- Injection vulnerabilities (SQL, command, LDAP)
- Authentication and authorization bypasses
- Secrets or credentials in code or comments
- Insecure direct object references
- Missing input validation
- Unsafe deserialization
- OWASP Top 10 patterns
Rate overall risk: Low / Medium / High / Critical.
If High or Critical, add the label 'security-review-required'.
List each finding with: file:line, vulnerability type, and recommended fix.
```
---
## Pattern 5: Scheduled Repo Maintenance
Weekly health check — runs without any human trigger.
```yaml
# .github/workflows/claude-maintenance.yml
name: Weekly Repo Health Check
on:
schedule:
- cron: '0 9 * * 1' # Every Monday at 9am UTC
workflow_dispatch: # Also allows manual trigger
jobs:
maintenance:
runs-on: ubuntu-latest
permissions:
contents: read
issues: write
steps:
- uses: actions/checkout@v4
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt: |
Perform a weekly repository health check:
1. Scan package.json (or equivalent) for outdated major dependencies
2. Check for TODO/FIXME comments older than 30 days in src/
3. Identify any test files without corresponding implementation files
4. List any documentation files that reference deleted or renamed files
Open a GitHub issue titled "Weekly Health Check - [date]" with your findings.
If nothing requires attention, post a comment "Health check passed — no issues found."
```
---
## Authentication Alternatives
The examples above use `ANTHROPIC_API_KEY` directly. For teams using cloud providers:
**Amazon Bedrock:**
```yaml
- uses: anthropics/claude-code-action@v1
with:
use_bedrock: 'true'
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_REGION: us-east-1
ANTHROPIC_MODEL: 'anthropic.claude-3-5-sonnet-20241022-v2:0'
```
**Google Vertex AI:**
```yaml
- uses: anthropics/claude-code-action@v1
with:
use_vertex: 'true'
env:
ANTHROPIC_VERTEX_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
CLOUD_ML_REGION: us-east5
ANTHROPIC_MODEL: 'claude-3-5-sonnet-v2@20241022'
```
Cloud providers benefit from data residency compliance and can leverage existing IAM policies instead of managing a separate API key.
---
## Cost Control
Automated workflows run without a human in the loop — set explicit limits.
```yaml
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
# Cap spend per workflow run
claude_args: '--max-budget-usd 0.50'
# Use Haiku for triage, Sonnet for reviews — don't default to Opus
prompt: |
...
```
**Budget guidance by pattern:**
| Pattern | Model | Approx. cost / run |
|---------|-------|--------------------|
| PR review (medium PR) | Sonnet | $0.050.15 |
| Issue triage | Haiku | $0.010.03 |
| Security review (large PR) | Sonnet | $0.100.25 |
| Scheduled maintenance | Sonnet | $0.050.20 |
Monitor actual spend with `ccusage` or the Anthropic Console usage dashboard.
**Prevent runaway costs:**
- Use `paths:` filters to avoid triggering on irrelevant changes
- Add `if: github.event.pull_request.draft == false` to skip draft PRs
- Set `concurrency:` to prevent parallel runs on the same PR
```yaml
jobs:
claude-review:
concurrency:
group: claude-${{ github.event.pull_request.number }}
cancel-in-progress: true
```
---
## Security Checklist
Before deploying to a team repo:
- [ ] `ANTHROPIC_API_KEY` stored as a GitHub secret, never in workflow YAML
- [ ] Workflow permissions are minimal — use `contents: read` unless writes are required
- [ ] For public repos: add `if: github.event.pull_request.head.repo.full_name == github.repository` to prevent fork PRs from triggering API calls
- [ ] Review what the workflow posts publicly — Claude's comments are visible to all contributors
- [ ] Use `pull_request_target` with caution — it runs with write permissions even from forks
**Fork safety pattern (public repos):**
```yaml
jobs:
claude:
# Only run on PRs from the same repo, not forks
if: github.event.pull_request.head.repo.full_name == github.repository
```
---
## See Also
- [Section 9.3 CI/CD Integration](../ultimate-guide.md#93-cicd-integration) — headless mode, Unix piping, `--output-format json`
- [Production Safety](../security/production-safety.md) — guardrails for automated agents
- [Security Hardening](../security/security-hardening.md) — MCP and webhook security
- [Official action docs](https://github.com/anthropics/claude-code-action) — solutions guide, migration, cloud providers
- [Community workflow blueprint](https://github.com/alirezarezvani/claude-code-github-workflow) — 8 workflows + 4 autonomous agents for advanced teams