CC-301d · Module 3

Claude Code GitHub Action Setup

4 min read

The Claude Code GitHub Action (anthropics/claude-code-action) runs Claude Code as an automated reviewer on your pull requests. When a PR is opened, updated, or when someone tags @claude in a PR comment, the action spins up a Claude Code instance, loads your repository's CLAUDE.md, reviews the diff, and posts review comments. It is the same Claude Code you use locally, running in a CI environment with full access to your project context.

The setup requires three components. First: a GitHub Actions workflow file (.github/workflows/claude-review.yml) that defines when the action triggers and what permissions it has. Second: an Anthropic API key stored as a GitHub secret (ANTHROPIC_API_KEY). Third: your project's CLAUDE.md, which the action loads for project-specific rules and context. The action reads CLAUDE.md just like a local Claude Code session, so your rules — naming conventions, architectural constraints, prohibited patterns — are enforced in automated review.

The workflow configuration determines when the action fires. The standard triggers are: pull_request (fires on PR open and update) and issue_comment (fires when someone comments on a PR). The issue_comment trigger enables on-demand reviews — a developer tags @claude in a comment and asks a specific question: "@claude is this migration safe for our production database?" or "@claude review the error handling in this PR." This is more practical than reviewing every PR automatically, because it lets developers choose when AI review adds value.

Permissions are critical. The action needs read access to repository contents (to clone and analyze the code) and write access to pull requests (to post review comments). It should not have write access to repository contents — you do not want an automated reviewer pushing code changes. The principle of least privilege applies: give the action exactly the permissions it needs for review and nothing more.

name: Claude Code Review
on:
  pull_request:
    types: [opened, synchronize]
  issue_comment:
    types: [created]

permissions:
  contents: read
  pull-requests: write

jobs:
  review:
    if: |
      github.event_name == 'pull_request' ||
      (github.event_name == 'issue_comment' &&
       contains(github.event.comment.body, '@claude'))
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: anthropics/claude-code-action@v1
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}