Skip to content

Add Claude Code GitHub Actions workflows#41

Merged
jnasbyupgrade merged 6 commits into
Postgres-Extensions:masterfrom
jnasbyupgrade:add-claude-github-actions
Jul 14, 2026
Merged

Add Claude Code GitHub Actions workflows#41
jnasbyupgrade merged 6 commits into
Postgres-Extensions:masterfrom
jnasbyupgrade:add-claude-github-actions

Conversation

@jnasbyupgrade

@jnasbyupgrade jnasbyupgrade commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Adds the Claude Code GitHub Actions workflows: claude.yml (responds to @claude mentions in issues/PRs) and claude-code-review.yml (automated review on new PRs).

Requires the CLAUDE_CODE_OAUTH_TOKEN secret (a Claude subscription token from claude setup-token) and the Claude GitHub App granted access to this repo.

Paired pgxntool-test PR: Postgres-Extensions/pgxntool-test#26

Replaces the /install-github-app auto-generated PR, which targeted the fork and had a verbose boilerplate description.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Review Change Stack

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: ba5e1c2b-fdbf-4f58-8d09-d4c1794994bf

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Added two GitHub Actions workflows: one automatically invokes Claude Code for selected pull request events, and another responds to @claude mentions in issues, comments, and reviews. Both use anthropics/claude-code-action@v1 with the configured OAuth token and scoped permissions.

Estimated code review effort: 2 (Simple) | ~10 minutes

Poem

I’m a rabbit reviewing workflows bright,
Claude hops in when pull requests ignite.
Mentions ring out, the action takes flight,
Tokens and permissions tucked in tight.
Carrots for CI—what a delightful sight!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed It clearly summarizes the main change: adding Claude Code GitHub Actions workflows.
Description check ✅ Passed The description matches the workflows added and the setup requirements for Claude Code.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 8

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/claude-code-review.yml:
- Around line 21-27: Add a timeout-minutes setting to the workflow job
containing the runs-on and permissions configuration, using an appropriate
finite duration to prevent stuck Claude runs from consuming the runner’s full
default timeout.
- Around line 3-11: Add workflow-level concurrency control to the pull_request
workflow in claude-code-review.yml, using a group keyed to the pull request or
workflow identity and cancel-in-progress enabled so rapid synchronize events do
not overlap. Align the configuration with the existing claude.yml concurrency
behavior.
- Around line 29-41: Update the workflow’s actions/checkout and
anthropics/claude-code-action references to immutable commit SHAs instead of
mutable version tags, and configure checkout with persist-credentials disabled.
Apply the same changes to the corresponding identical workflow pattern
referenced in the review.
- Around line 4-5: Update the pull_request trigger configuration in the Claude
review workflow to skip draft pull requests, including pushes while a PR remains
draft, while preserving reviews for ready-for-review and subsequent non-draft
updates.
- Around line 39-40: Update the claude-code-action configuration around
plugin_marketplaces and plugins so the code-review plugin resolves from a forked
or vendored marketplace with a stable pinned revision instead of the upstream
default branch. Preserve the existing review plugin selection while replacing
the unpinnable upstream marketplace reference.

In @.github/workflows/claude.yml:
- Around line 28-38: Update the workflow steps around Checkout repository and
Run Claude Code to pin both actions to immutable commit SHAs instead of mutable
tags, and configure actions/checkout with persist-credentials: false. Preserve
the existing checkout depth and Claude Code OAuth token configuration.
- Around line 20-26: Add a timeout-minutes setting to the workflow job in
claude.yml, matching the timeout configuration used by claude-code-review.yml.
Place it at the job level alongside runs-on and permissions, using the
established timeout value.
- Around line 3-11: Add a concurrency configuration to the workflow triggered by
issue comments, pull request review comments, issues, and pull request reviews.
Use a stable workflow- and ref-scoped concurrency group, and configure
cancellation behavior consistently with claude-code-review.yml while preserving
these existing triggers.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 5b527f90-b8e6-4118-9784-0ad05fed134f

📥 Commits

Reviewing files that changed from the base of the PR and between b062fca and 3a6cb68.

📒 Files selected for processing (2)
  • .github/workflows/claude-code-review.yml
  • .github/workflows/claude.yml

Comment on lines +3 to +11
on:
pull_request:
types: [opened, synchronize, ready_for_review, reopened]
# Optional: Only run on specific file changes
# paths:
# - "src/**/*.ts"
# - "src/**/*.tsx"
# - "src/**/*.js"
# - "src/**/*.jsx"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀 Performance & Scalability | 🔵 Trivial | ⚡ Quick win

No concurrency control (see consolidated comment).

This workflow re-runs on every synchronize; without a concurrency group, rapid pushes can pile up overlapping review runs. Consolidated below with claude.yml.

🧰 Tools
🪛 YAMLlint (1.37.1)

[warning] 3-3: truthy value should be one of [false, true]

(truthy)

🪛 zizmor (1.26.1)

[warning] 3-11: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting

(concurrency-limits)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/claude-code-review.yml around lines 3 - 11, Add
workflow-level concurrency control to the pull_request workflow in
claude-code-review.yml, using a group keyed to the pull request or workflow
identity and cancel-in-progress enabled so rapid synchronize events do not
overlap. Align the configuration with the existing claude.yml concurrency
behavior.

Source: Linters/SAST tools

Comment on lines +4 to +5
pull_request:
types: [opened, synchronize, ready_for_review, reopened]

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀 Performance & Scalability | 🔵 Trivial | ⚡ Quick win

Consider skipping draft PRs.

opened/synchronize fire even while the PR is still a draft, so Claude re-reviews on every push before the author is ready — wasted API/CI spend.

♻️ Suggested guard
 jobs:
   claude-review:
+    if: github.event.pull_request.draft == false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
pull_request:
types: [opened, synchronize, ready_for_review, reopened]
jobs:
claude-review:
if: github.event.pull_request.draft == false
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/claude-code-review.yml around lines 4 - 5, Update the
pull_request trigger configuration in the Claude review workflow to skip draft
pull requests, including pushes while a PR remains draft, while preserving
reviews for ready-for-review and subsequent non-draft updates.

Comment on lines +21 to +27
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
issues: read
id-token: write

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀 Performance & Scalability | 🔵 Trivial | ⚡ Quick win

Add a job timeout.

No timeout-minutes is set, so a stuck or looping Claude run can consume the full default runner timeout on every PR push.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 24-24: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment

(undocumented-permissions)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/claude-code-review.yml around lines 21 - 27, Add a
timeout-minutes setting to the workflow job containing the runs-on and
permissions configuration, using an appropriate finite duration to prevent stuck
Claude runs from consuming the runner’s full default timeout.

Source: Linters/SAST tools

Comment on lines +29 to +41
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1

- name: Run Claude Code Review
id: claude-review
uses: anthropics/claude-code-action@v1
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
plugins: 'code-review@claude-code-plugins'
prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Unpinned action refs and default credential persistence (see consolidated comment).

actions/checkout@v4 and anthropics/claude-code-action@v1 are pinned to mutable tags, and checkout leaves persist-credentials at its default (true). Details and fix consolidated below since claude.yml has the identical pattern.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 29-32: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 30-30: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 36-36: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/claude-code-review.yml around lines 29 - 41, Update the
workflow’s actions/checkout and anthropics/claude-code-action references to
immutable commit SHAs instead of mutable version tags, and configure checkout
with persist-credentials disabled. Apply the same changes to the corresponding
identical workflow pattern referenced in the review.

Source: Linters/SAST tools

Comment thread .github/workflows/claude-code-review.yml
Comment thread .github/workflows/claude.yml
Comment thread .github/workflows/claude.yml
Comment thread .github/workflows/claude.yml Outdated
Comment on lines +28 to +38
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1

- name: Run Claude Code
id: claude
uses: anthropics/claude-code-action@v1
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Unpinned action refs and default credential persistence (see consolidated comment).

Same pattern as claude-code-review.yml: actions/checkout@v4 and anthropics/claude-code-action@v1 pinned to mutable tags, checkout without persist-credentials: false. Consolidated below.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 28-31: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 29-29: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 35-35: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/claude.yml around lines 28 - 38, Update the workflow steps
around Checkout repository and Run Claude Code to pin both actions to immutable
commit SHAs instead of mutable tags, and configure actions/checkout with
persist-credentials: false. Preserve the existing checkout depth and Claude Code
OAuth token configuration.

Source: Linters/SAST tools

jnasbyupgrade and others added 5 commits July 13, 2026 17:30
`claude-code-review.yml` used `on: pull_request`, which gets no secrets on fork
PRs, so CLAUDE_CODE_OAUTH_TOKEN was empty and review never ran for our
fork-based PRs. Switch to `pull_request_target` (runs in the base repo with the
secret available) and gate the job to PRs from the jnasbyupgrade fork only, so
external forks can't trigger the secret-bearing job. Check out the PR head
read-only (persist-credentials: false); no PR code is built or executed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
)

- Add concurrency groups (cancel stale review runs; serialize @claude without
  cancelling in-progress responses).
- Add timeout-minutes: 30 to both jobs.
- Skip draft PRs in the auto-review.
- Pin actions/checkout and anthropics/claude-code-action to immutable SHAs.
- persist-credentials: false on all checkouts.

(plugin_marketplaces can't be pinned — it tracks the marketplace default branch.)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Revert the SHA pins on actions/checkout and anthropics/claude-code-action back
to @v4/@v1. For these first-party actions we want upstream fixes to flow in
automatically rather than freezing at a SHA. (CodeRabbit/zizmor will flag the
unpinned refs; that's an accepted trade-off here.)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@claude mentions are independent, read-only requests; serializing only delays
responses and cancelling would drop them. Concurrency stays on
claude-code-review.yml (cancel stale review runs), where it's useful.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
git subtree copies pgxntool's entire tree into embedding projects, including
dev-only dirs (.github/, .claude/) that are export-ignored from `make dist` and
don't belong in a consumer. subtree doesn't honor export-ignore, so
update-setup-files.sh (run by pgxntool-sync) now prunes them via a new
prune_pgxntool_dev_dirs helper in lib.sh. GitHub only runs root-level workflows,
so a consumer's pgxntool/.github never executed anyway — this just keeps the
embedded copy clean.

Related changes in pgxntool-test:
- Test that update-setup-files.sh prunes pgxntool/.github

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@jnasbyupgrade jnasbyupgrade merged commit 64d6708 into Postgres-Extensions:master Jul 14, 2026
2 of 3 checks passed
jnasbyupgrade added a commit to Postgres-Extensions/pgxntool-test that referenced this pull request Jul 14, 2026
Adds the Claude Code GitHub Actions workflows: `claude.yml` (responds to
`@claude` mentions in issues/PRs) and `claude-code-review.yml`
(automated review on new PRs).

Requires the `CLAUDE_CODE_OAUTH_TOKEN` secret (a Claude subscription
token from `claude setup-token`) and the Claude GitHub App granted
access to this repo.

Paired pgxntool PR:
Postgres-Extensions/pgxntool#41

Replaces the `/install-github-app` auto-generated PR, which targeted the
fork and had a verbose boilerplate description.

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
jnasbyupgrade added a commit to Postgres-Extensions/pgxntool-test that referenced this pull request Jul 14, 2026
Adds the Claude Code GitHub Actions workflows: `claude.yml` (responds to
`@claude` mentions in issues/PRs) and `claude-code-review.yml`
(automated review on new PRs).

Requires the `CLAUDE_CODE_OAUTH_TOKEN` secret (a Claude subscription
token from `claude setup-token`) and the Claude GitHub App granted
access to this repo.

Paired pgxntool PR:
Postgres-Extensions/pgxntool#41

Replaces the `/install-github-app` auto-generated PR, which targeted the
fork and had a verbose boilerplate description.

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
jnasbyupgrade added a commit to Postgres-Extensions/pgxntool-test that referenced this pull request Jul 14, 2026
Adds the Claude Code GitHub Actions workflows: `claude.yml` (responds to
`@claude` mentions in issues/PRs) and `claude-code-review.yml`
(automated review on new PRs).

Requires the `CLAUDE_CODE_OAUTH_TOKEN` secret (a Claude subscription
token from `claude setup-token`) and the Claude GitHub App granted
access to this repo.

Paired pgxntool PR:
Postgres-Extensions/pgxntool#41

Replaces the `/install-github-app` auto-generated PR, which targeted the
fork and had a verbose boilerplate description.

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
jnasbyupgrade added a commit that referenced this pull request Jul 14, 2026
Adds the Claude Code GitHub Actions workflows: `claude.yml` (responds to
`@claude` mentions in issues/PRs) and `claude-code-review.yml`
(automated review on new PRs).

Requires the `CLAUDE_CODE_OAUTH_TOKEN` secret (a Claude subscription
token from `claude setup-token`) and the Claude GitHub App granted
access to this repo.

Paired pgxntool-test PR:
Postgres-Extensions/pgxntool-test#26

Replaces the `/install-github-app` auto-generated PR, which targeted the
fork and had a verbose boilerplate description.

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant