Add Claude Code GitHub Workflow

[limehawk]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

[claude]

Code Review: Claude Code GitHub Workflow Integration

Thanks for setting up the Claude Code integration! I've reviewed the PR and have the following feedback:

✅ Strengths

1. Security Best Practices

   • Properly uses GitHub secrets for API token storage
   • Permissions are appropriately scoped (read-only for most resources)
   • Only users with write access can trigger workflows
   • All runs are logged in GitHub Actions history

2. Well-Structured Workflows

   • Two separate workflows for different use cases (mentions vs automatic review)
   • Clear conditional logic for triggering Claude
   • Good use of GitHub Actions permissions model

3. Good Documentation

   • Excellent PR description explaining what Claude Code is and how it works
   • Clear instructions on when the workflow takes effect
   • Helpful examples for customization

🔍 Code Quality Observations

claude.yml

• Clean implementation of the mention-based trigger
• Comprehensive event coverage (issue comments, PR review comments, etc.)
• Good conditional filtering to only run when @claude is mentioned
• Nice addition of actions: read permission for CI integration

claude-code-review.yml

• Automatic code review on PR open/sync is a powerful feature
• Properly scoped bash tool permissions for GitHub CLI operations
• Clear, actionable review prompt

🚨 Potential Issues & Recommendations

1. Workflow Scope May Be Too Broad

The claude-code-review.yml workflow runs on ALL pull requests without filtering. For an RMM scripts repository, this might trigger unnecessarily on PRs that only modify documentation.

Recommendation: Consider uncommenting and adapting the paths filter to match your repository structure:

paths:
  - "scripts/**/*.ps1"
  - "scripts/**/*.sh"
  - "docs/powershell_script_guidelines.md"
  - "docs/bash_script_guidelines.md"

2. Duplicate Review Comments

If someone opens a PR and later comments @claude on it, you might get two reviews - one automatic from claude-code-review.yml and one from the mention. This could be confusing or redundant.

Recommendation: Consider one of these approaches:

• Remove automatic reviews and rely only on @claude mentions
• Add logic to skip automatic review if the PR author is a maintainer
• Uncomment the author filter to only auto-review external/new contributors

3. Missing Repository-Specific Context

The review prompt in claude-code-review.yml is generic and doesn't leverage your CLAUDE.md file effectively.

Recommendation: Enhance the prompt to reference the Limehawk Script Framework requirements specifically. The prompt should ask Claude to verify VERSION updates, CHANGELOG entries, snake_case naming, hardcoded inputs, and other framework requirements.

4. Checkout Depth

Both workflows use fetch-depth: 1 which only fetches the latest commit. This is fine for most cases, but Claude might benefit from more git history for context.

Recommendation: Consider increasing to fetch-depth: 10 or fetch-depth: 0 (full history) if Claude needs more context about changes.

5. Tool Permissions Inconsistency

claude-code-review.yml has explicit allowed tools, but claude.yml has commented-out tool restrictions.

Recommendation: For security and consistency, uncomment and configure allowed tools in claude.yml to match the review workflow's approach.

🎯 Performance Considerations

• Workflow Efficiency: Running on every PR sync could accumulate costs if you have active development. The paths filter would help optimize this.
• API Rate Limits: Be mindful of Anthropic API rate limits if you have many simultaneous PRs or @claude mentions.

🛡️ Security Concerns

1. Secret Rotation: Ensure you have a process to rotate CLAUDE_CODE_OAUTH_TOKEN periodically
2. Tool Access: The current bash tool permissions are appropriately restrictive, which is good
3. No Write Permissions: Good that workflows don't request contents: write - keeps Claude in advisory role

🧪 Test Coverage

Missing: There are no tests for the workflows themselves.

Recommendation: After merging, consider:

1. Testing @claude mentions on a test issue
2. Opening a test PR to verify automatic review works
3. Checking that review comments are helpful and actionable
4. Documenting the testing results in the wiki

📋 Action Items (Optional Improvements)

• Add paths filter to claude-code-review.yml to target script files
• Enhance the review prompt to reference Limehawk Script Framework requirements
• Consider author filtering to avoid duplicate reviews
• Add consistent tool permissions to both workflows
• Document Claude Code usage in the repository wiki

✅ Verdict

This is a solid implementation that follows GitHub Actions best practices. The workflows are well-structured and secure. The suggested improvements are optional optimizations that could make the integration more efficient and repository-specific.

Recommendation: ✅ Approve with suggested enhancements

The PR is safe to merge as-is. The optional improvements can be addressed in follow-up PRs based on real-world usage patterns.