Add Claude Code GitHub Workflow

[zircote]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

[Copilot]

Pull request overview

Adds GitHub Actions workflows to integrate Claude Code into the repository for interactive assistance and automated PR reviews.

Changes:

• Adds an @claude-triggered workflow for issue/PR comment and review events.
• Adds a PR-triggered workflow intended to run a Claude-based code review plugin on pull requests.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.

File	Description
.github/workflows/claude.yml	Introduces an @claude mention-triggered workflow that runs the Claude Code action on comments/reviews/issues.
.github/workflows/claude-code-review.yml	Introduces an automatic PR workflow to run a Claude Code Review plugin on PR lifecycle events.

[Copilot]

The workflow can be triggered by any commenter who includes "@claude" (issue comments, PR review comments, PR reviews) and by anyone opening an issue with "@claude" in the title/body. This contradicts the PR description’s claim that only users with write access can trigger the workflow and is a security risk because it allows untrusted users to run the action (and potentially access repository context/secrets). Add an author trust check to the if: condition (e.g., restrict to OWNER/MEMBER/COLLABORATOR or a maintained allowlist) for each event type you support.

Suggested change

	(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
	(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
	(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
	(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
	(github.event_name == 'issue_comment' &&
	contains(github.event.comment.body, '@claude') &&
	contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
	) ||
	(github.event_name == 'pull_request_review_comment' &&
	contains(github.event.comment.body, '@claude') &&
	contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
	) ||
	(github.event_name == 'pull_request_review' &&
	contains(github.event.review.body, '@claude') &&
	contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association)
	) ||
	(github.event_name == 'issues' &&
	(contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) &&
	contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association)
	)

[Copilot]

The job-level permissions are read-only for contents, pull-requests, and issues, but the PR description states Claude can create comments/branches/commits. With the current permissions, the workflow will not be able to post comments or push changes via GITHUB_TOKEN. Update the workflow permissions to match the intended capabilities (e.g., at least issues: write / pull-requests: write, and only add contents: write if you actually want Claude to be able to push commits).

[Copilot]

Repository convention: other workflows start with a YAML document header and quote the on key (e.g., .github/workflows/ci.yml:1-5, .github/workflows/copilot-setup-steps.yml:1-6). To keep workflow files consistent (and avoid YAML tooling edge cases around on), consider adding --- and using "on": here as well.

[Copilot]

This workflow runs on every PR open/sync/etc (no if: gating), which doesn’t match the PR description’s behavior of running only when someone mentions @claude in a comment. If the intent is “on-demand via mention”, add an if: filter (or change triggers) so you don’t run Claude on all PRs by default.

[Copilot]

This workflow uses secrets.CLAUDE_CODE_OAUTH_TOKEN on the pull_request event. For PRs from forks, GitHub does not provide repository secrets, so this job will fail noisily on external contributions. Add an if: guard to skip forks (e.g., only run when github.event.pull_request.head.repo.full_name == github.repository) or otherwise handle the missing secret case explicitly.

[Copilot]

Repository convention: other workflows include a YAML document header and quote the on key (e.g., .github/workflows/ci.yml:1-5, .github/workflows/copilot-setup-steps.yml:1-6). Consider adding --- and using "on": here for consistency with the rest of the repo’s workflows.

[zircote]

@copilot open a new pull request to apply changes based on the comments in this thread

[Copilot]

@zircote I've opened a new pull request, #2, to work on those changes. Once the pull request is ready, I'll request review from you.