Add Claude Code GitHub Workflow

[aaomidi]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

[claude]

Code Review: Claude Code GitHub Workflows

Summary

This PR adds two GitHub Actions workflows to integrate Claude Code with the repository. The workflows are well-structured and follow GitHub Actions best practices. I've identified a few areas for improvement around security, efficiency, and Go-specific considerations.

Positive Aspects

✅ Good security practices: Proper use of secrets, appropriate permission scoping
✅ Clear documentation: PR description thoroughly explains the purpose and usage
✅ Flexible design: Commented-out options allow for easy customization
✅ Minimal permissions: Workflows only request the permissions they need

Issues & Recommendations

1. Security: Permissions Scope

Location: .github/workflows/claude-code-review.yml:26

The id-token: write permission appears unnecessary for this workflow. This permission is typically used for OIDC token generation (e.g., AWS authentication), but there's no indication it's needed here.

Recommendation: Remove unless explicitly required by the action.

2. Workflow Efficiency: Commented File Filters

Location: .github/workflows/claude-code-review.yml:6-10

The workflow currently runs on all file changes. For a Go project, this wastes CI resources when non-code files change (e.g., README updates, docs).

Recommendation: Uncomment and adjust for Go files like **/*.go, go.mod, go.sum, and .golangci.toml.

3. Context Mismatch: File Path References

Location: .github/workflows/claude-code-review.yml:6-10

The commented path filters reference TypeScript/JavaScript files (*.ts, *.tsx, *.js, *.jsx), but this is a Go project. This suggests the workflow was copied from a template without customization.

Recommendation: Update to Go-specific paths or remove the comment entirely to avoid confusion.

4. Workflow Trigger Optimization

Location: .github/workflows/claude.yml:6-10

The workflow triggers on multiple event types but some may be redundant:

• issues.types: [opened, assigned] - triggering on "assigned" might be noisy
• pull_request_review.types: [submitted] - all reviews, even "approved" without comments

Recommendation: Consider if these are all necessary or if they create duplicate runs.

5. Resource Consideration: fetch-depth

Location: .github/workflows/claude-code-review.yml:32

Using fetch-depth: 1 (shallow clone) is efficient for most cases, but may limit Claude's ability to understand historical context or run git-based analysis.

Recommendation: Consider fetch-depth: 0 if Claude needs full git history, or leave as-is for faster checkouts.

6. Consistency: Duplicate Permissions

Location: .github/workflows/claude.yml:43

The actions: read permission is specified twice - once in the permissions block and again in additional_permissions.

Recommendation: Remove from additional_permissions since it's already granted in the main permissions block.

7. Documentation: Go-Specific Guidance

The CLAUDE.md file provides excellent Go-specific guidance (linting, error handling, concurrency), but the workflow prompt doesn't explicitly reference Go best practices.

Recommendation: Consider adding Go-specific review criteria to the prompt, such as error handling patterns (errors.Is/errors.As), concurrency and lock ordering, and golangci-lint compliance.

Test Coverage Note

These workflows don't include test execution. While that's appropriate for a review-only workflow, consider whether Claude should have the ability to run tests when requested. The existing CI workflow runs tests with race detection, which would be valuable context for reviews.

Performance Considerations

No significant performance concerns. The workflows are efficient and use appropriate caching via action defaults.

Security Assessment

Overall: Secure implementation with minor improvements recommended.

Strengths:

• OAuth token properly stored in secrets
• Limited bash tool access via allowlist
• No exposure of sensitive data

Considerations:

• Ensure CLAUDE_CODE_OAUTH_TOKEN secret is properly configured before merge
• Consider restricting which users can trigger workflows (commented PR author filter is a good option)
• The workflow can read the entire repository - ensure no sensitive data is committed

Conclusion

This is a solid implementation of Claude Code integration. The main issues are minor template artifacts (TypeScript file references) and potential permission optimization. The workflows are production-ready after addressing the Go-specific path filters.

Recommendation: Approve with suggested changes, particularly updating the file path filters to match the Go codebase.