marketing-shibata50/claude-code-ultimate-guide
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
claude-code-ultimate-guide/guide/workflows/github-actions.md
Florian BRUNIAUX b0698bfb39 docs: add GitHub Actions workflow guide + desloppify + threat-db v2.7.0 
- guide/workflows/github-actions.md (new): 5 production patterns with
  claude-code-action (on-demand @claude, auto push review, issue triage,
  security review, scheduled maintenance), auth alternatives, cost control
- guide/ultimate-guide.md: GitHub Actions cross-ref + desloppify tool
  (vibe code quality fix-loop, community tool, ~2K stars, Feb 2026)
- examples/commands/resources/threat-db.yaml: v2.7.0, +5 threat sources
  (Azure MCP SSRF CVE-2026-26118, OpenClaw, Taskflow, Codex Security,
  DryRun Security 87% vulnerability stat)
- CLAUDE.md: Behavioral Rules section (5 rules from observed friction)
- guide/workflows/README.md: github-actions entry + quick selection row
- IDEAS.md: CI/CD Workflows Gallery marked complete
- CHANGELOG.md: [Unreleased] entries for all items

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-13 17:19:18 +01:00

393 lines
No EOL
12 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: "GitHub Actions Workflows with Claude Code"
description: "Production-ready patterns for automating PR reviews, issue triage, and quality gates with claude-code-action"
tags: [workflow, ci-cd, github-actions, automation]
---
# GitHub Actions Workflows with Claude Code
> **Confidence**: Tier 1 — Official Anthropic action (`anthropics/claude-code-action`, 6.2k stars, v1.0).
Automate code reviews, issue triage, and quality gates by connecting Claude directly to your GitHub workflow. Two trigger models: `@claude` mentions (human-initiated) and scheduled/event automations (fully autonomous).
---
## Table of Contents
1. [TL;DR](#tldr)
2. [Two Models](#two-models)
3. [Setup](#setup)
4. [Pattern 1: PR Code Review on @claude Mention](#pattern-1-pr-code-review-on-claude-mention)
5. [Pattern 2: Automatic PR Review on Push](#pattern-2-automatic-pr-review-on-push)
6. [Pattern 3: Issue Triage and Labeling](#pattern-3-issue-triage-and-labeling)
7. [Pattern 4: Security-Focused Review](#pattern-4-security-focused-review)
8. [Pattern 5: Scheduled Repo Maintenance](#pattern-5-scheduled-repo-maintenance)
9. [Authentication Alternatives](#authentication-alternatives)
10. [Cost Control](#cost-control)
11. [Security Checklist](#security-checklist)
12. [See Also](#see-also)
---
## TL;DR
```yaml
# Minimal working example — paste into .github/workflows/claude.yml
name: Claude Code Review
on:
issue_comment:
types: [created]
jobs:
claude:
if: contains(github.event.comment.body, '@claude')
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
issues: write
steps:
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
```
Comment `@claude review this PR` on any PR → Claude reads the diff and posts a review.
---
## Two Models
| Model | Trigger | Use case |
|-------|---------|----------|
| **Interactive** | `@claude` mention in PR/issue comment | On-demand reviews, questions, fixes |
| **Automated** | Push, PR open, schedule, label | Continuous quality gates, triage |
Both use the same action — the difference is the `on:` block and whether you include an `if:` condition.
---
## Setup
### Quickstart (30 seconds)
In your Claude Code terminal, inside any project connected to a GitHub repo:
```
/install-github-app
```
This guides you through creating the GitHub App, adding `ANTHROPIC_API_KEY` to your repo secrets, and generating the base `claude.yml` workflow.
### Manual Setup
1. Add `ANTHROPIC_API_KEY` to your GitHub repository secrets
2. Create `.github/workflows/claude.yml` (see patterns below)
3. Grant the workflow permissions: `contents: write`, `pull-requests: write`, `issues: write`
---
## Pattern 1: PR Code Review on @claude Mention
Human-initiated. A developer comments `@claude review this PR` and Claude responds inline.
```yaml
# .github/workflows/claude-review.yml
name: Claude Interactive Review
on:
issue_comment:
types: [created, edited]
pull_request_review_comment:
types: [created]
jobs:
claude:
if: |
contains(github.event.comment.body, '@claude') ||
contains(github.event.review_comment.body, '@claude')
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
issues: write
steps:
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
claude_env: |
GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
```
**Usage examples:**
- `@claude review this PR` — full diff analysis with suggestions
- `@claude is this change backwards compatible?` — targeted question
- `@claude fix the failing test in src/auth.test.ts` — Claude opens a follow-up PR with the fix
---
## Pattern 2: Automatic PR Review on Push
Every PR gets a review the moment it opens or updates. No mention required.
```yaml
# .github/workflows/claude-auto-review.yml
name: Claude Auto PR Review
on:
pull_request:
types: [opened, synchronize]
# Optional: only trigger on specific paths
# paths:
# - 'src/**'
# - '!**/*.md'
jobs:
claude-review:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt: |
Review this pull request. Focus on:
- Logic errors and edge cases
- Security issues (injection, auth, secrets)
- Performance regressions
- Missing error handling
Format your response as:
## Summary
One paragraph describing the change.
## Issues Found
Numbered list, severity (Critical/Major/Minor), file:line reference.
## Suggestions
Optional improvements.
Keep it under 400 words. Be direct.
```
**Tip**: Add `paths:` to avoid triggering on doc-only PRs, or `if: github.event.pull_request.draft == false` to skip drafts.
---
## Pattern 3: Issue Triage and Labeling
Claude reads new issues, assigns labels, and posts a structured triage comment.
```yaml
# .github/workflows/claude-triage.yml
name: Issue Triage
on:
issues:
types: [opened]
jobs:
triage:
runs-on: ubuntu-latest
permissions:
issues: write
contents: read
steps:
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt: |
Triage this GitHub issue:
1. Assign one label from: bug, enhancement, question, documentation, performance, security
2. Assign a priority label: priority:critical, priority:high, priority:medium, priority:low
3. Post a comment with:
- Issue type classification
- Which component is likely affected (based on the issue description)
- Next step recommendation for the reporter (reproduce steps needed? version info missing?)
Be brief. One sentence per point.
```
---
## Pattern 4: Security-Focused Review
Runs specifically for PRs touching sensitive paths (auth, payments, config).
```yaml
# .github/workflows/claude-security.yml
name: Security Review
on:
pull_request:
paths:
- 'src/auth/**'
- 'src/payments/**'
- '**/config/**'
- '**/.env*'
- '**/secrets/**'
jobs:
security-review:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt: |
Perform a security-focused review of this PR. Check for:
- Injection vulnerabilities (SQL, command, LDAP)
- Authentication and authorization bypasses
- Secrets or credentials in code or comments
- Insecure direct object references
- Missing input validation
- Unsafe deserialization
- OWASP Top 10 patterns
Rate overall risk: Low / Medium / High / Critical.
If High or Critical, add the label 'security-review-required'.
List each finding with: file:line, vulnerability type, and recommended fix.
```
---
## Pattern 5: Scheduled Repo Maintenance
Weekly health check — runs without any human trigger.
```yaml
# .github/workflows/claude-maintenance.yml
name: Weekly Repo Health Check
on:
schedule:
- cron: '0 9 * * 1' # Every Monday at 9am UTC
workflow_dispatch: # Also allows manual trigger
jobs:
maintenance:
runs-on: ubuntu-latest
permissions:
contents: read
issues: write
steps:
- uses: actions/checkout@v4
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt: |
Perform a weekly repository health check:
1. Scan package.json (or equivalent) for outdated major dependencies
2. Check for TODO/FIXME comments older than 30 days in src/
3. Identify any test files without corresponding implementation files
4. List any documentation files that reference deleted or renamed files
Open a GitHub issue titled "Weekly Health Check - [date]" with your findings.
If nothing requires attention, post a comment "Health check passed — no issues found."
```
---
## Authentication Alternatives
The examples above use `ANTHROPIC_API_KEY` directly. For teams using cloud providers:
**Amazon Bedrock:**
```yaml
- uses: anthropics/claude-code-action@v1
with:
use_bedrock: 'true'
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_REGION: us-east-1
ANTHROPIC_MODEL: 'anthropic.claude-3-5-sonnet-20241022-v2:0'
```
**Google Vertex AI:**
```yaml
- uses: anthropics/claude-code-action@v1
with:
use_vertex: 'true'
env:
ANTHROPIC_VERTEX_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
CLOUD_ML_REGION: us-east5
ANTHROPIC_MODEL: 'claude-3-5-sonnet-v2@20241022'
```
Cloud providers benefit from data residency compliance and can leverage existing IAM policies instead of managing a separate API key.
---
## Cost Control
Automated workflows run without a human in the loop — set explicit limits.
```yaml
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
# Cap spend per workflow run
claude_args: '--max-budget-usd 0.50'
# Use Haiku for triage, Sonnet for reviews — don't default to Opus
prompt: |
...
```
**Budget guidance by pattern:**
| Pattern | Model | Approx. cost / run |
|---------|-------|--------------------|
| PR review (medium PR) | Sonnet | $0.050.15 |
| Issue triage | Haiku | $0.010.03 |
| Security review (large PR) | Sonnet | $0.100.25 |
| Scheduled maintenance | Sonnet | $0.050.20 |
Monitor actual spend with `ccusage` or the Anthropic Console usage dashboard.
**Prevent runaway costs:**
- Use `paths:` filters to avoid triggering on irrelevant changes
- Add `if: github.event.pull_request.draft == false` to skip draft PRs
- Set `concurrency:` to prevent parallel runs on the same PR
```yaml
jobs:
claude-review:
concurrency:
group: claude-${{ github.event.pull_request.number }}
cancel-in-progress: true
```
---
## Security Checklist
Before deploying to a team repo:
- [ ] `ANTHROPIC_API_KEY` stored as a GitHub secret, never in workflow YAML
- [ ] Workflow permissions are minimal — use `contents: read` unless writes are required
- [ ] For public repos: add `if: github.event.pull_request.head.repo.full_name == github.repository` to prevent fork PRs from triggering API calls
- [ ] Review what the workflow posts publicly — Claude's comments are visible to all contributors
- [ ] Use `pull_request_target` with caution — it runs with write permissions even from forks
**Fork safety pattern (public repos):**
```yaml
jobs:
claude:
# Only run on PRs from the same repo, not forks
if: github.event.pull_request.head.repo.full_name == github.repository
```
---
## See Also
- [Section 9.3 CI/CD Integration](../ultimate-guide.md#93-cicd-integration) — headless mode, Unix piping, `--output-format json`
- [Production Safety](../security/production-safety.md) — guardrails for automated agents
- [Security Hardening](../security/security-hardening.md) — MCP and webhook security
- [Official action docs](https://github.com/anthropics/claude-code-action) — solutions guide, migration, cloud providers
- [Community workflow blueprint](https://github.com/alirezarezvani/claude-code-github-workflow) — 8 workflows + 4 autonomous agents for advanced teams
Reference in a new issue View git blame Copy permalink