Claude Code GitHub Actions
Bring AI automation directly into your GitHub workflow. Mention @claude in any PR or issue comment and Claude will analyse code, implement features, and create pull requests — all on your own GitHub runners.
What is Claude Code GitHub Actions?
It is a GitHub Action (anthropics/claude-code-action@v1) that runs Claude Code inside your existing CI/CD pipelines. Once installed, anyone on your team can type @claude in a PR comment or issue and Claude will respond with analysis, code changes, or even a new pull request.
Unlike the standalone Code Review feature (which automatically scans every PR), GitHub Actions gives you full control — Claude only acts when you ask it to, or when a workflow you write triggers it.
How it works
The action supports two modes — interactive mode (responds to @claude mentions in comments) and automation mode (runs immediately using a prompt you define in the workflow file). The mode is detected automatically based on your configuration.
Example — @claude in a PR comment
A developer asks Claude to review JWT security. Claude reads the code, finds an issue, and posts a detailed comment in seconds.
Security Review Complete
I've reviewed the JWT implementation in src/middleware/auth.ts. Here are my findings:
Issue found — line 34
The JWT secret is being read from process.env.SECRET without a fallback check. If the env var is missing in production, the server will start with an undefined secret, silently accepting any token.
Everything else looks good
Token expiry, algorithm (HS256), and refresh logic are all correctly implemented.
Setup
/install-github-app. It guides you through everything interactively. You need to be a repository admin.Install the Claude GitHub App
Install github.com/apps/claude to your repository. It needs Read & Write access to Contents, Issues, and Pull Requests.
Add your API key as a repository secret
Go to Repository → Settings → Secrets and variables → Actions. Create a secret named ANTHROPIC_API_KEY with your key from console.anthropic.com. Never commit the key directly to your repository.
Add the workflow file
Create .github/workflows/claude.yml in your repository. The minimal starter below makes Claude respond to every @claude mention in PR and issue comments:
Common use cases
Type these in any PR or issue comment once the action is installed.
| Task | Example command |
|---|---|
| Implement a feature | @claude implement the feature described in this issue |
| Fix a bug | @claude fix the TypeError in UserDashboard |
| Security review | @claude check this PR for security issues |
| Ask a question | @claude how should I implement rate limiting here? |
| Write tests | @claude write unit tests for the payment module |
| Explain code | @claude explain what this function does |
Automation mode — run without @claude
You can also trigger Claude automatically using any GitHub event — a scheduled cron job, every PR opened, or a push to main. Use the prompt parameter to give Claude its instructions directly in the workflow file.
name: Daily Summary
on:
schedule:
- cron: "0 9 * * 1-5" # 9 AM every weekday
jobs:
summarise:
runs-on: ubuntu-latest
steps:
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt: "Summarise yesterday's merged PRs and open issues. Post the summary as a new issue."
claude_args: "--max-turns 5"name: Auto PR Review
on:
pull_request:
types: [opened, synchronize]
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt: "Review this pull request for correctness, security, and code style. Post findings as review comments."
claude_args: "--max-turns 5"Key configuration options
| Parameter | Required | Description |
|---|---|---|
| anthropic_api_key | Yes* | Your Claude API key — always use a repository secret |
| prompt | No | Instructions for automation mode. Omit to respond only to @claude mentions |
| claude_args | No | Any Claude Code CLI flags, e.g. --max-turns 5 --model claude-sonnet-4-6 |
| trigger_phrase | No | Change the trigger from @claude to something custom |
| use_bedrock | No | Set to true to route requests through Amazon Bedrock |
| use_vertex | No | Set to true to route requests through Google Vertex AI |
* Not required when using Amazon Bedrock or Google Vertex AI — use their respective credential parameters instead.
Customise behaviour with CLAUDE.md
Create a CLAUDE.md file at your repository root to define coding standards, review criteria, and project-specific rules. Claude reads this file before acting and follows the guidelines in every response.
# Project Guidelines
## Code style
- Use TypeScript strict mode
- Prefer named exports over default exports
- All async functions must handle errors explicitly
## Review focus
- Flag any use of `eval()` or `new Function()`
- Require input validation at all API boundaries
- All database queries must use parameterised statements
## PR conventions
- One logical change per PR
- Update CHANGELOG.md for user-facing changesBest practices
| Practice | Why |
|---|---|
| Keep API keys in Secrets | Never hardcode credentials in workflow files. Always reference them as ${{ secrets.ANTHROPIC_API_KEY }}. |
| Set timeouts | Add a timeout-minutes to your job and a --max-turns limit in claude_args to prevent runaway workflows. |
| Review before merging | Claude's PRs are suggestions. Always read the diff before merging, especially for security-sensitive code. |
| Keep CLAUDE.md focused | A short, specific CLAUDE.md is more effective than a long one. Focus on rules that differ from defaults. |
Troubleshooting
@claude mentions have no effect
Check the GitHub App is installed to the repository, the workflow file exists in .github/workflows/, and the ANTHROPIC_API_KEY secret is set. Also confirm you're writing @claude (not /claude).
Claude's commits don't trigger CI
GitHub Actions does not automatically re-trigger on commits made by a bot. Use a custom GitHub App (not the default GITHUB_TOKEN) and make sure workflow triggers include push events from the app.
Authentication errors in the workflow log
Verify the secret name matches exactly (ANTHROPIC_API_KEY). Check the key is still valid and not expired in your Anthropic console. For Bedrock / Vertex, confirm the credentials and role ARN are correct.
Workflow runs but Claude does nothing
If you omitted the prompt parameter, Claude only acts on @claude mentions. Make sure the comment event types in the on: block match the actual event (issue_comment vs pull_request_review_comment).
Quick reference
| Task | How |
|---|---|
| Quick install | /install-github-app inside Claude Code terminal |
| Manual install app | github.com/apps/claude |
| Store API key | Repository → Settings → Secrets → ANTHROPIC_API_KEY |
| Trigger Claude interactively | @claude <your request> in any PR or issue comment |
| Run Claude automatically | Add prompt: to your workflow file |
| Limit conversation length | claude_args: --max-turns 5 |
| Use a different model | claude_args: --model claude-opus-4-7 |
| Define coding standards | Add CLAUDE.md to repository root |
| Change trigger phrase | trigger_phrase: @bot (or any custom phrase) |
| View action source | github.com/anthropics/claude-code-action |
Before you continue
anthropics/claude-code-action@v1runs Claude on your GitHub runners when you mention @claude or define a prompt.- Interactive mode responds to comments; automation mode runs on schedule or PR events.
- Store
ANTHROPIC_API_KEYas a repository secret — never commit it. CLAUDE.mdat the repo root sets coding standards for every automated session.- Next lesson: Writing and Running Tests — generate, execute, and iterate on your test suite.
What's Next
Claude is part of your CI/CD pipeline. Next: Writing and Running Tests — using Claude to generate, execute, and iterate on your test suite.