⚙️Lesson 24

Claude Code GitHub Actions

Bring AI automation directly into your GitHub workflow. Mention @claude in any PR or issue comment and Claude will analyse code, implement features, and create pull requests — all on your own GitHub runners.

@claude mention in commentsAuto PR creationWorks in CI pipelinesCLAUDE.md aware

What is Claude Code GitHub Actions?

It is a GitHub Action (anthropics/claude-code-action@v1) that runs Claude Code inside your existing CI/CD pipelines. Once installed, anyone on your team can type @claude in a PR comment or issue and Claude will respond with analysis, code changes, or even a new pull request.

Unlike the standalone Code Review feature (which automatically scans every PR), GitHub Actions gives you full control — Claude only acts when you ask it to, or when a workflow you write triggers it.

How it works

💬

@claude mention

→

🔄

Workflow triggers

→

🤖

Claude runs on runner

→

📝

Comment / PR posted

The action supports two modes — interactive mode (responds to @claude mentions in comments) and automation mode (runs immediately using a prompt you define in the workflow file). The mode is detected automatically based on your configuration.

Example — @claude in a PR comment

A developer asks Claude to review JWT security. Claude reads the code, finds an issue, and posts a detailed comment in seconds.

Open

feat: add user authentication middleware#142

sarah-r2 minutes ago

@claude review this PR and check for any security issues with the JWT implementation

🤖

claude-code[bot]botjust now

✅ Security Review Complete

I've reviewed the JWT implementation in src/middleware/auth.ts. Here are my findings:

⚠️ Issue found — line 34

The JWT secret is being read from process.env.SECRET without a fallback check. If the env var is missing in production, the server will start with an undefined secret, silently accepting any token.

✅ Everything else looks good

Token expiry, algorithm (HS256), and refresh logic are all correctly implemented.

Setup

💡 Tip: The fastest way is to open Claude Code in your terminal and run /install-github-app. It guides you through everything interactively. You need to be a repository admin.

Install the Claude GitHub App

Install github.com/apps/claude to your repository. It needs Read & Write access to Contents, Issues, and Pull Requests.

Add your API key as a repository secret

Go to Repository → Settings → Secrets and variables → Actions. Create a secret named ANTHROPIC_API_KEY with your key from console.anthropic.com. Never commit the key directly to your repository.

Add the workflow file

Create .github/workflows/claude.yml in your repository. The minimal starter below makes Claude respond to every @claude mention in PR and issue comments:

📁.github / workflows /claude.yml
1name: Claude Code
2on:
3  issue_comment:
4    types: [created]
5  pull_request_review_comment:
6    types: [created]
7
8jobs:
9  claude:
10    runs-on: ubuntu-latest
11    steps:
12      - uses: anthropics/claude-code-action@v1
13        with:
14          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
15          # Responds to @claude mentions in PR / issue comments

Common use cases

Type these in any PR or issue comment once the action is installed.

🔨

Implement a feature

@claude implement the feature described in this issue

Claude reads the issue, writes the code, and opens a pull request.

🐛

Fix a bug

@claude fix the TypeError in UserDashboard

Claude locates the error, applies a fix, and explains the change.

🔍

Security review

@claude check this PR for security issues

Claude reviews the diff and leaves inline comments where needed.

❓

Ask a question

@claude how should I implement rate limiting here?

Claude answers with context-aware suggestions based on your codebase.

🧪

Write tests

@claude write unit tests for the payment module

Claude generates tests matching your existing test framework.

📖

Explain code

@claude explain what this function does

Claude gives a clear plain-English explanation of any code block.

Automation mode — run without @claude

You can also trigger Claude automatically using any GitHub event — a scheduled cron job, every PR opened, or a push to main. Use the prompt parameter to give Claude its instructions directly in the workflow file.

.github/workflows/daily-summary.yml

name: Daily Summary
on:
  schedule:
    - cron: "0 9 * * 1-5"   # 9 AM every weekday

jobs:
  summarise:
    runs-on: ubuntu-latest
    steps:
      - uses: anthropics/claude-code-action@v1
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          prompt: "Summarise yesterday's merged PRs and open issues. Post the summary as a new issue."
          claude_args: "--max-turns 5"

.github/workflows/pr-review.yml

name: Auto PR Review
on:
  pull_request:
    types: [opened, synchronize]

jobs:
  review:
    runs-on: ubuntu-latest
    steps:
      - uses: anthropics/claude-code-action@v1
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          prompt: "Review this pull request for correctness, security, and code style. Post findings as review comments."
          claude_args: "--max-turns 5"

Key configuration options

Parameter	Required	Description
anthropic_api_key	Yes*	Your Claude API key — always use a repository secret
prompt	No	Instructions for automation mode. Omit to respond only to @claude mentions
claude_args	No	Any Claude Code CLI flags, e.g. --max-turns 5 --model claude-sonnet-4-6
trigger_phrase	No	Change the trigger from @claude to something custom
use_bedrock	No	Set to true to route requests through Amazon Bedrock
use_vertex	No	Set to true to route requests through Google Vertex AI

* Not required when using Amazon Bedrock or Google Vertex AI — use their respective credential parameters instead.

Customise behaviour with CLAUDE.md

Create a CLAUDE.md file at your repository root to define coding standards, review criteria, and project-specific rules. Claude reads this file before acting and follows the guidelines in every response.

CLAUDE.md

# Project Guidelines

## Code style
- Use TypeScript strict mode
- Prefer named exports over default exports
- All async functions must handle errors explicitly

## Review focus
- Flag any use of `eval()` or `new Function()`
- Require input validation at all API boundaries
- All database queries must use parameterised statements

## PR conventions
- One logical change per PR
- Update CHANGELOG.md for user-facing changes

Best practices

🔒

Keep API keys in Secrets

Never hardcode credentials in workflow files. Always reference them as ${{ secrets.ANTHROPIC_API_KEY }}.

⏱️

Set timeouts

Add a timeout-minutes to your job and a --max-turns limit in claude_args to prevent runaway workflows.

👀

Review before merging

Claude's PRs are suggestions. Always read the diff before merging, especially for security-sensitive code.

📄

Keep CLAUDE.md focused

A short, specific CLAUDE.md is more effective than a long one. Focus on rules that differ from defaults.

Troubleshooting

❌ @claude mentions have no effect

Check the GitHub App is installed to the repository, the workflow file exists in .github/workflows/, and the ANTHROPIC_API_KEY secret is set. Also confirm you're writing @claude (not /claude).

❌ Claude's commits don't trigger CI

GitHub Actions does not automatically re-trigger on commits made by a bot. Use a custom GitHub App (not the default GITHUB_TOKEN) and make sure workflow triggers include push events from the app.

❌ Authentication errors in the workflow log

Verify the secret name matches exactly (ANTHROPIC_API_KEY). Check the key is still valid and not expired in your Anthropic console. For Bedrock / Vertex, confirm the credentials and role ARN are correct.

❌ Workflow runs but Claude does nothing

If you omitted the prompt parameter, Claude only acts on @claude mentions. Make sure the comment event types in the on: block match the actual event (issue_comment vs pull_request_review_comment).

Quick Reference

Task	How
Quick install	`/install-github-app` inside Claude Code terminal
Manual install app	github.com/apps/claude
Store API key	Repository → Settings → Secrets → ANTHROPIC_API_KEY
Trigger Claude interactively	@claude <your request> in any PR or issue comment
Run Claude automatically	Add prompt: to your workflow file
Limit conversation length	claude_args: --max-turns 5
Use a different model	claude_args: --model claude-opus-4-7
Define coding standards	Add CLAUDE.md to repository root
Change trigger phrase	trigger_phrase: @bot (or any custom phrase)
View action source	github.com/anthropics/claude-code-action

What's Next

Claude is part of your CI/CD pipeline. Next: Writing and Running Tests — using Claude to generate, execute, and iterate on your test suite.

← PREVIOUS

Permission Modes

Writing & Running Tests