Add Claude Code GitHub Workflow

[koriym]

Summary by Sourcery

Introduce two GitHub Action workflows to integrate the Claude AI action for automated code reviews and on-demand assistance via triggers in pull requests and issue comments.

New Features:

• Add 'Claude Code Review' GitHub workflow to automatically review pull requests using Claude AI on open and synchronize events
• Add 'Claude Code' GitHub workflow to trigger Claude AI interactions on issues, PR review comments, and issue comments when tagged with '@claude'

Summary by CodeRabbit

• Chores
  • Added automated code review workflow to enhance code quality and security feedback.
  • Added on-demand code assistance workflow triggered via repository comments.
  • Updated repository license year to 2025.

[sourcery-ai]

Reviewer's Guide

Introduces two new GitHub Action workflows to integrate the Claude AI assistant for automated code reviews on pull requests and for on-demand AI-driven interactions when explicitly mentioned, each configured with custom triggers, permissions, checkout steps, and calls to the anthropics/claude-code-action.

Sequence diagram for Claude Code Review workflow on pull request

sequenceDiagram
  participant GitHub
  participant "Claude Code Review Workflow"
  participant "actions/checkout@v4"
  participant "anthropics/claude-code-action@v1"
  participant "Claude AI"

  GitHub->>"Claude Code Review Workflow": Trigger on PR opened/synchronize
  "Claude Code Review Workflow"->>"actions/checkout@v4": Checkout repository
  "Claude Code Review Workflow"->>"anthropics/claude-code-action@v1": Run code review action
  "anthropics/claude-code-action@v1"->>"Claude AI": Review PR and provide feedback
  "Claude AI"->>GitHub: Post review comment on PR

Loading

Sequence diagram for Claude Code workflow on @claude mention

sequenceDiagram
  participant GitHub
  participant "Claude Code Workflow"
  participant "actions/checkout@v4"
  participant "anthropics/claude-code-action@v1"
  participant "Claude AI"

  GitHub->>"Claude Code Workflow": Trigger on comment/review/issue with @claude
  "Claude Code Workflow"->>"actions/checkout@v4": Checkout repository
  "Claude Code Workflow"->>"anthropics/claude-code-action@v1": Run Claude action
  "anthropics/claude-code-action@v1"->>"Claude AI": Process request
  "Claude AI"->>GitHub: Respond to comment/issue

Loading

File-Level Changes

Change	Details	Files
Add automated pull request review workflow using Claude	Configure trigger on pull_request events (opened, synchronize) Define job permissions for contents, pull-requests, issues, and id-token Checkout repository with actions/checkout@v4 at fetch-depth 1 Invoke anthropics/claude-code-action@v1 with OAuth token, structured prompt, and claude_args	.github/workflows/claude-code-review.yml
Add mention-triggered AI assistant workflow	Set up triggers on issue_comment, pull_request_review_comment, issues, and pull_request_review events Apply an if-condition to only run when '@claude' is present in comments or titles Checkout repository and run anthropics/claude-code-action@v1 with OAuth token Grant additional permissions for actions: read to allow CI results retrieval	.github/workflows/claude.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

Walkthrough

Two new GitHub Actions workflows integrate Claude for automated and interactive code reviews. The first triggers automatically on pull requests to perform code reviews, while the second enables on-demand Claude interactions via comments. The LICENSE copyright year is updated to 2025.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflows .github/workflows/claude-code-review.yml, .github/workflows/claude.yml	Added two new workflows: one for automatic code review on PRs using anthropics/claude-code-action, and one for interactive Claude assistance triggered by @claude mentions in comments. Both configure permissions, pass repository/PR context to Claude, and enable CLI tools for feedback delivery.
License Update LICENSE	Updated copyright year from 2012-2024 to 2012-2025.

Sequence Diagram(s)

sequenceDiagram
    participant User as User/PR
    participant GHA as GitHub Actions
    participant Claude as Claude Code Action
    participant GH as GitHub API

    rect rgb(200, 220, 255)
    Note over GHA,Claude: claude-code-review.yml (Automatic)
    User->>GHA: PR opened/updated
    GHA->>Claude: Trigger with PR context
    Claude->>Claude: Analyze code quality,<br/>bugs, performance, security
    Claude->>GH: Post review comments
    GH->>User: Display feedback
    end

    rect rgb(220, 200, 255)
    Note over GHA,Claude: claude.yml (Interactive)
    User->>GH: Comment with @claude
    GHA->>GHA: Detect @claude trigger
    GHA->>Claude: Invoke with comment/context
    Claude->>GH: Reply with assistance
    GH->>User: Display response
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

• Verify YAML syntax correctness for both workflows
• Validate GitHub Actions permissions align with principle of least privilege
• Confirm the Claude action version and configuration parameters are appropriate
• Review the conditional logic for workflow triggers (@claude mentions in claude.yml)

Poem

🐰 Claude hops into the workflow today,
Reviewing code in a thoughtful way,
Comments and checks now flow with ease,
Catching bugs with GitHub's gentle breeze,
Two workflows dance, one prompt, one request—
CodeRabbit's friends bring out the best! 🎉

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "Add Claude Code GitHub Workflow" accurately describes the primary changes in this pull request. The changeset introduces two new GitHub Actions workflows (claude-code-review.yml and claude.yml) designed to integrate Claude code review automation. The title is concise, specific, and clearly communicates the main objective without unnecessary noise or vague terminology. The LICENSE copyright year update is a minor secondary change that aligns with the workflow additions and does not diminish the accuracy of the title.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sourcery-ai]

Hey there - I've reviewed your changes and they look great!

Blocking issues:

• An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. (link)
• An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. (link)

Prompt for AI Agents

Please address the comments from this code review:

## Individual Comments

### Comment 1
<location> `.github/workflows/claude-code-review.yml:36` </location>
<code_context>
        uses: anthropics/claude-code-action@v1
</code_context>

<issue_to_address>
**security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha):** An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

*Source: opengrep*
</issue_to_address>

### Comment 2
<location> `.github/workflows/claude.yml:35` </location>
<code_context>
        uses: anthropics/claude-code-action@v1
</code_context>

<issue_to_address>
**security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha):** An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

*Source: opengrep*
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

Source: opengrep

[sourcery-ai]

security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

Source: opengrep

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (3936771) to head (6e0b1e6).
⚠️ Report is 30 commits behind head on 1.x.

Additional details and impacted files

@@             Coverage Diff             @@
##                 1.x      #120   +/-   ##
===========================================
  Coverage     100.00%   100.00%           
- Complexity       106       130   +24     
===========================================
  Files             14        13    -1     
  Lines            275       283    +8     
===========================================
+ Hits             275       283    +8     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/claude-code-review.yml (1)

3-5: Consider adding rate limiting or conditions to prevent unnecessary workflow runs.

The workflow triggers on every PR open/synchronize without conditional filtering. On an active repository, this could lead to many Claude API calls. Consider adding:

• Conditional filters based on PR author (commented option at lines 15-19)
• File path filters (commented option at lines 7-11)
• Exclusion of draft PRs or specific labels

This would make the workflow more cost-effective and targeted.

.github/workflows/claude.yml (1)

33-37: Action verified as available and maintained; document setup requirements for contributors.

The anthropics/claude-code-action@v1 is actively maintained with v1.0.9 released Sep 27, 2025, and is GA-status. However, no CONTRIBUTING.md or setup documentation was found in the repository. The workflow depends on secrets.CLAUDE_CODE_OAUTH_TOKEN being pre-configured—add documentation to guide contributors through this setup requirement.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b345ebf and 6e0b1e6.

📒 Files selected for processing (3)

• .github/workflows/claude-code-review.yml (1 hunks)
• .github/workflows/claude.yml (1 hunks)
• LICENSE (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: ci / PHPUnit - PHP 8.5 (windows-latest, highest)
• GitHub Check: Sourcery review

🔇 Additional comments (4)

LICENSE (1)

3-3: Copyright year updated correctly.

The year range has been appropriately updated to reflect 2025.

.github/workflows/claude.yml (2)

1-50: Well-structured interactive Claude workflow.

The on-demand design with @claude triggers is flexible and user-friendly. The optional prompt and claude_args customizations make it adaptable for different use cases.

---

15-19: Conditional logic verified—no issues found.

The if condition correctly handles all trigger events with appropriate field references:

• issue_comment and pull_request_review_comment both check comment.body ✓
• pull_request_review checks review.body ✓
• issues checks both issue.body and issue.title ✓

All event combinations will properly trigger Claude when @claude is detected.

.github/workflows/claude-code-review.yml (1)

36-56: anthropics/claude-code-action@v1 is actively maintained.

The action is maintained with published v1 releases and documentation from Anthropic, showing recent activity. The workflow correctly references this action. Ensure that secrets.CLAUDE_CODE_OAUTH_TOKEN is configured in the repository settings before enabling this workflow on live PRs.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify CLAUDE.md exists in repository.

The prompt references "the repository's CLAUDE.md" for style guidance, but there's no confirmation this file exists. If it doesn't, Claude won't have style guidance and the review may be less consistent with project conventions.

---

🏁 Script executed:

#!/bin/bash
# Description: Check if CLAUDE.md exists in repository

if [ -f "CLAUDE.md" ]; then
  echo "✓ CLAUDE.md found at repository root"
  head -20 CLAUDE.md
else
  echo "✗ CLAUDE.md not found"
  find . -name "CLAUDE.md" -type f 2>/dev/null || echo "No CLAUDE.md found anywhere"
fi

Length of output: 21

---

---

🏁 Script executed:

```shell
#!/bin/bash
# Search for any references to CLAUDE.md or guidance documentation in the codebase

echo "=== Searching for CLAUDE.md references ==="
rg -i "claude\.md" --type-list | head -20 || true

echo -e "\n=== Searching for style guide or conventions references ==="
rg -i "(style.*guide|coding.*standard|convention)" -C2 .github/workflows/ || true

echo -e "\n=== Checking for other documentation files ==="
fd -e md | grep -iE "(guide|style|convention|readme)" | head -20 || true

Length of output: 614

---

---

🏁 Script executed:

```shell
#!/bin/bash
# Search for CLAUDE.md references and documentation structure

echo "=== Searching for CLAUDE.md references ==="
rg "claude\.md" -i || echo "No CLAUDE.md references found"

echo -e "\n=== Listing all markdown files ==="
fd -e md | sort

echo -e "\n=== Checking workflow file content ==="
if [ -f ".github/workflows/claude-code-review.yml" ]; then
  echo "Workflow file found:"
  cat ".github/workflows/claude-code-review.yml"
else
  echo "Workflow file not found at .github/workflows/claude-code-review.yml"
  find . -name "claude-code-review.yml" -type f 2>/dev/null || echo "No workflow file found"
fi

Length of output: 2200

---

Create CLAUDE.md or remove the reference from the workflow prompt.

The workflow explicitly instructs Claude to use "the repository's CLAUDE.md" for style guidance, but this file does not exist anywhere in the repository. This will cause Claude to lack guidance on style and conventions during code reviews.

Options to fix:

1. Create CLAUDE.md at the repository root with your project's style guide and coding conventions
2. Remove the CLAUDE.md reference from the prompt in the workflow and replace with inline guidance, or reference existing documentation (e.g., README.md)

🤖 Prompt for AI Agents

.github/workflows/claude-code-review.yml around line 50: the workflow references
a non-existent CLAUDE.md for style guidance which will break reviewer prompts;
either add a CLAUDE.md at repo root containing your style and convention
guidance, or remove/replace the reference in the workflow prompt with inline
guidance or an existing doc (e.g., README.md) so the workflow points to an
actual file or includes the needed guidance directly.

[koriym]

Exists now.

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if CLAUDE.md now exists in the repository

echo "=== Checking for CLAUDE.md in repository ==="
if [ -f "CLAUDE.md" ]; then
  echo "✓ CLAUDE.md found at repository root"
  echo ""
  echo "=== File size and basic info ==="
  ls -lh CLAUDE.md
  echo ""
  echo "=== First 30 lines of CLAUDE.md ==="
  head -30 CLAUDE.md
else
  echo "✗ CLAUDE.md not found at repository root"
  echo ""
  echo "=== Searching for CLAUDE.md anywhere in the repository ==="
  find . -name "CLAUDE.md" -type f 2>/dev/null || echo "No CLAUDE.md found anywhere in repository"
fi

Length of output: 145

---

🏁 Script executed:

#!/bin/bash
# Check recent commits and git status to see if CLAUDE.md was added

echo "=== Checking recent commits in current branch ==="
git log --oneline -10

echo ""
echo "=== Checking for any CLAUDE.md in recent commits ==="
git log --all --oneline --name-only | grep -i "CLAUDE.md" || echo "No CLAUDE.md found in commit history"

echo ""
echo "=== Current branch ==="
git branch --show-current

echo ""
echo "=== All files in repository root ==="
ls -la | head -20

Length of output: 1908

---

🏁 Script executed:

#!/bin/bash
# Check which branch has CLAUDE.md and get its content

echo "=== Finding which branch(es) contain CLAUDE.md ==="
git branch -a --contains $(git log --all --format=%H --name-only | grep -B1 "^CLAUDE.md$" | head -1) 2>/dev/null || echo "Could not determine branch"

echo ""
echo "=== Checking commits that added CLAUDE.md ==="
git log --all --oneline --diff-filter=A -- CLAUDE.md

echo ""
echo "=== Getting CLAUDE.md content from the commit ==="
COMMIT_WITH_CLAUDE=$(git log --all --oneline --diff-filter=A -- CLAUDE.md | head -1 | cut -d' ' -f1)
if [ -n "$COMMIT_WITH_CLAUDE" ]; then
  echo "Found CLAUDE.md in commit: $COMMIT_WITH_CLAUDE"
  echo ""
  echo "=== Content of CLAUDE.md ==="
  git show $COMMIT_WITH_CLAUDE:CLAUDE.md | head -50
else
  echo "Could not find commit with CLAUDE.md"
fi

echo ""
echo "=== Checking if it exists in origin/add-claude-github-actions-1761412869230 ==="
git ls-tree -r origin/add-claude-github-actions-1761412869230 --name-only | grep -i CLAUDE || echo "Not found in source branch"

Length of output: 3142

---

🏁 Script executed:

#!/bin/bash
# Check if CLAUDE.md exists in the target branch (1.x)

echo "=== Checking for CLAUDE.md in origin/1.x (target branch) ==="
git ls-tree -r origin/1.x --name-only | grep -i CLAUDE

echo ""
echo "=== Getting CLAUDE.md from origin/1.x ==="
git show origin/1.x:CLAUDE.md 2>/dev/null && echo "" && echo "✓ CLAUDE.md exists in target branch 1.x" || echo "✗ CLAUDE.md not found in 1.x"

echo ""
echo "=== Commit history for CLAUDE.md ==="
git log origin/1.x --oneline -- CLAUDE.md | head -5

Length of output: 6383

---

@koriym Perfect! I can confirm that CLAUDE.md exists in the target branch (1.x) and contains comprehensive guidance for Claude Code. The file includes:

• Project overview and architecture details
• Core compilation flow and runtime execution
• Development commands and testing instructions
• Key concepts like dependency indexing, injection points, and scope handling
• PHP version requirements and best practices

Since this PR is targeting the 1.x branch where CLAUDE.md already exists, the workflow will have access to the style guidance when it runs. The reference in line 50 of the workflow is valid and will work correctly! ✅

---

If you found this review helpful, would you consider giving us a shout-out on X?

Thank you for using CodeRabbit!