Add Claude Code GitHub Workflow

[firozwp]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

[claude]

Claude finished @firozwp's task —— View job

---

Code Review Complete

I've completed a comprehensive review of the Claude Code GitHub workflow integration. Here's my detailed analysis:

Review Tasks:

• Read repository guidelines from CLAUDE.md
• Analyze the new claude-code-review.yml workflow
• Review modifications to existing claude.yml workflow
• Check security implications and best practices
• Assess workflow configurations and potential issues
• Provide final recommendations

---

Summary

This PR adds a comprehensive Claude Code integration with two workflows:

1. New automated code review workflow (claude-code-review.yml)
2. Updated interactive Claude workflow (claude.yml)

Key Findings

✅ Strengths

1. Security-First Design

   • Proper minimal permissions with contents: read, pull-requests: read, issues: read
   • Secure authentication via OAuth token in secrets
   • No hardcoded sensitive values

2. Clean Action Upgrade

   • Migrated from @beta to stable @v1 release
   • Updated from deprecated action name Claude PR Assistant to Claude Code
   • Modernized job naming (claude-code-action → claude)

3. Enhanced Trigger Logic

   • Added support for @claude mentions in issue titles: contains(github.event.issue.title, '@claude')
   • Comprehensive event coverage for all interaction points

4. Flexible Configuration

   • Well-commented optional configurations for filtering by paths, authors, and contributor types
   • Clear documentation references for customization

🔍 Areas for Consideration

1. New Code Review Workflow Concerns

File: .github/workflows/claude-code-review.yml

Issue: The workflow uses an unofficial plugin system that may pose risks:

plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
plugins: 'code-review@claude-code-plugins'

Recommendations:

• Verify the claude-code-plugins repository is official and maintained by Anthropic
• Consider starting with the simpler interactive workflow first
• Test this thoroughly in a development environment before enabling on main

Security Note: External plugin systems can introduce supply chain risks. Ensure you trust the plugin source.

2. Missing Repository-Specific Configuration

For BuddyBoss Platform, consider customizing the paths filter to focus on relevant file types:

paths:
  - "src/**/*.php"          # PHP source files
  - "src/**/*.js"           # JavaScript
  - "src/**/*.scss"         # Styles
  - "tests/**/*.php"        # Test files
  - "*.md"                  # Documentation

This would reduce unnecessary runs on irrelevant changes (like workflow files, configs, etc.).

3. Resource Management

Missing Considerations:

• No timeout configuration (could run indefinitely)
• No concurrency limits (multiple PRs could trigger simultaneous reviews)

Suggested additions:

timeout-minutes: 30  # Prevent runaway jobs
concurrency:
  group: claude-review-${{ github.event.pull_request.number }}
  cancel-in-progress: true  # Cancel older runs for same PR

4. Integration with Development Workflow

Based on CLAUDE.md, consider adding Claude-specific tool allowances:

claude_args: |
  --allowed-tools \
    Bash(composer lint-php) \
    Bash(npm run lint-js) \
    Bash(composer test)

This would let Claude run your established linting and testing commands.

🚨 Critical Security Review

Overall Assessment: SECURE ✅

1. Authentication: Uses secure OAuth token pattern
2. Permissions: Minimal necessary permissions granted
3. Secrets: No hardcoded secrets or credentials
4. Network Access: No unrestricted network access
5. Code Execution: Limited to Anthropic's official action

🎯 Specific Recommendations

For Immediate Deployment:

1. Start with the updated claude.yml only - it's proven and secure
2. Test the code review workflow in a development repo first
3. Add concurrency controls to prevent resource conflicts

For Enhanced Security:

# Add to claude-code-review.yml
if: |
  github.event.pull_request.author_association == 'COLLABORATOR' ||
  github.event.pull_request.author_association == 'MEMBER'

For BuddyBoss Optimization:

• Add file path filters for PHP/JS/SCSS files
• Consider adding wordpress to the environment context for better assistance
• Set appropriate timeouts based on typical PR review needs

Overall Verdict

✅ APPROVE with minor suggestions

This is a well-implemented Claude Code integration that follows GitHub Actions best practices. The security model is solid, and the upgrade from beta to v1 is appropriate.

Key Actions:

1. Merge the updated claude.yml - ready for production
2. Consider testing claude-code-review.yml in development first
3. Implement the suggested concurrency and path filtering enhancements

The code quality is high, follows proper security practices, and aligns well with the BuddyBoss Platform development workflow as documented in CLAUDE.md.

---