🐙GitHub Actions with Claude Code
Automate PR reviews, issue triage, and code quality checks in CI
GitHub Actions with Claude Code
GitHub Actions is GitHub's built-in CI/CD platform that lets you automate workflows directly inside your repository. When combined with Claude Code, you unlock powerful AI-driven automation: pull request reviews, issue triage, code quality scanning, test generation, and much more — all running automatically on every push, pull request, or schedule.
Why Use Claude Code in CI?
Manually reviewing every pull request, triaging every issue, and scanning for security problems is time-consuming. By integrating Claude Code into GitHub Actions, you gain:
- Automated PR reviews — Claude reads diffs and leaves inline review comments on every pull request
- Issue triage — Claude reads new issues and applies labels, assigns priority, and suggests relevant team members
- Security scanning — Claude analyzes code for common vulnerabilities, injection risks, and secret exposure
- Test generation — Claude generates unit test suggestions based on changed code
- Changelog generation — Claude summarizes changes into human-readable release notes
- Consistent quality — Every PR gets the same thorough review, regardless of reviewer availability
The Official Claude Code GitHub Action
Anthropic provides an official GitHub Action for Claude Code:
# Use the official action
- uses: anthropics/claude-code-action@v1This action allows you to run Claude Code inside any GitHub Actions workflow. It supports:
- Reading repository files and pull request diffs
- Posting review comments on PRs
- Labeling and triaging issues
- Running arbitrary Claude Code commands
- Using tools and extended thinking
Key Features of the Action
| Feature | Description |
|---|---|
| PR review | Reads diffs and posts inline comments |
| Issue triage | Labels and categorizes new issues |
| Code analysis | Scans for bugs, style, and security |
| Custom prompts | You define exactly what Claude checks |
| Cost controls | Set max token limits per run |
| Model selection | Choose which Claude model to use |
Setting Up Your First Workflow
GitHub Actions workflows live in the .github/workflows directory of your repository. Each workflow is a YAML file that defines triggers, jobs, and steps.
Step 1: Create the Workflow Directory
mkdir -p .github/workflowsStep 2: Create a Workflow File
Create .github/workflows/claude-review.yml:
name: Claude PR Review
on:
pull_request:
types: [opened, synchronize, reopened]
permissions:
contents: read
pull-requests: write
issues: write
jobs:
review:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Run Claude Code Review
uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt: |
Review this pull request. Focus on:
1. Code correctness and potential bugs
2. Security vulnerabilities
3. Performance issues
4. Code style and readability
5. Missing error handling
Be specific and actionable in your feedback.
For each issue found, suggest a concrete fix.Understanding the Workflow Structure
Let's break down each section:
on — Defines when the workflow runs. Here it triggers on every pull request event:
opened— A new PR is createdsynchronize— New commits are pushed to an existing PRreopened— A previously closed PR is reopened
permissions — GitHub token permissions required:
contents: read— Read repository filespull-requests: write— Post review comments on PRsissues: write— Needed for some labeling operations
steps — The sequence of operations:
- Checkout the repository code
- Run the Claude Code action with your API key and a custom prompt
Automated PR Review Workflow
Here is a comprehensive PR review workflow that checks multiple quality dimensions:
name: Comprehensive Claude PR Review
on:
pull_request:
types: [opened, synchronize, reopened]
permissions:
contents: read
pull-requests: write
jobs:
claude-review:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Claude Code Review
uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
model: claude-sonnet-4-20250514
max_tokens: 4096
prompt: |
You are a senior code reviewer. Analyze this PR thoroughly.
## Review Checklist
- [ ] No obvious bugs or logic errors
- [ ] Error handling is adequate
- [ ] No security vulnerabilities (SQL injection, XSS, etc.)
- [ ] No hardcoded secrets or credentials
- [ ] Performance is reasonable (no N+1 queries, unnecessary loops)
- [ ] Code follows project conventions
- [ ] New code has appropriate test coverage
- [ ] Documentation is updated if needed
## Output Format
For each issue, provide:
- File and line number
- Severity: critical / warning / suggestion
- Description of the issue
- Suggested fix with code snippet
If the PR looks good, say so explicitly and highlight
what was done well.Issue Triage and Labeling
Claude can automatically triage new issues, apply labels, and suggest next steps:
name: Claude Issue Triage
on:
issues:
types: [opened]
permissions:
issues: write
contents: read
jobs:
triage:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Triage Issue with Claude
uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt: |
Analyze this new GitHub issue and perform triage.
1. Categorize the issue as one of:
- bug
- feature-request
- documentation
- question
- performance
- security
2. Assign a priority:
- P0: Critical, needs immediate fix
- P1: High priority, fix this sprint
- P2: Medium priority, plan for next sprint
- P3: Low priority, nice to have
3. Suggest relevant labels from the repository's
existing label set.
4. If it's a bug report, check if:
- Steps to reproduce are provided
- Expected vs actual behavior is described
- Environment details are included
Ask the author for any missing information.
5. If it appears to be a duplicate, note similar
existing issues.Security Scanning Workflow
Run Claude as a security scanner on every push to critical branches:
name: Claude Security Scan
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
permissions:
contents: read
pull-requests: write
security-events: write
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Claude Security Analysis
uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
model: claude-sonnet-4-20250514
prompt: |
Perform a security audit on the changed files.
Check for:
1. Hardcoded secrets, API keys, or passwords
2. SQL injection vulnerabilities
3. Cross-site scripting (XSS) risks
4. Insecure deserialization
5. Path traversal vulnerabilities
6. Insecure direct object references
7. Missing input validation
8. Insecure cryptographic practices
9. Exposed debug endpoints
10. Missing authentication or authorization checks
For each finding:
- Severity: CRITICAL / HIGH / MEDIUM / LOW
- CWE reference if applicable
- Exact file and line
- Remediation steps with code exampleTest Generation Workflow
Automatically suggest tests for new code:
name: Claude Test Suggestions
on:
pull_request:
types: [opened, synchronize]
permissions:
contents: read
pull-requests: write
jobs:
suggest-tests:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Generate Test Suggestions
uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt: |
Analyze the changed files in this PR and suggest
unit tests that should be written.
For each changed function or module:
1. List the happy-path test cases
2. List edge cases and boundary conditions
3. List error scenarios that should be tested
4. Provide example test code using the project's
existing test framework
Focus on tests that catch real bugs, not trivial
getter/setter tests.Changelog Generation Workflow
Automatically generate release notes from merged PRs:
name: Claude Changelog
on:
release:
types: [created]
permissions:
contents: write
jobs:
generate-changelog:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Generate Changelog
uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt: |
Generate release notes for the latest release.
Read the git log since the last tag and categorize
changes into:
## New Features
## Bug Fixes
## Performance Improvements
## Breaking Changes
## Documentation Updates
Write in a user-friendly tone. Each entry should
explain what changed and why it matters, not just
repeat the commit message.Secrets Configuration
Your Claude API key must be stored as a GitHub repository secret, never hardcoded in workflow files.
Adding the Secret
- Go to your repository on GitHub
- Navigate to Settings > Secrets and variables > Actions
- Click New repository secret
- Name:
ANTHROPIC_API_KEY - Value: Your Anthropic API key (starts with
sk-ant-) - Click Add secret
Using Secrets in Workflows
Reference secrets using the secrets context:
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}Environment-Level Secrets
For different API keys per environment (staging vs production):
jobs:
review:
runs-on: ubuntu-latest
environment: production
steps:
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}Organization-Level Secrets
If you manage multiple repositories, set secrets at the organization level to share them across all repos without duplicating configuration.
Permissions and Security Best Practices
Principle of Least Privilege
Always request only the minimum permissions your workflow needs:
permissions:
contents: read # Read repo files
pull-requests: write # Post PR comments
issues: write # Label issues
# Do NOT add permissions you don't needBranch Protection Rules
Combine Claude reviews with branch protection:
- Require the Claude review check to pass before merging
- Require at least one human approval in addition to Claude
- Prevent direct pushes to main — all changes go through PRs
Token Permissions Matrix
| Scope | read | write | When needed |
|---|---|---|---|
| contents | Yes | Rarely | Read code, write changelogs |
| pull-requests | Yes | Yes | Read and comment on PRs |
| issues | No | Yes | Label and triage issues |
| security-events | No | Yes | Report security findings |
| actions | No | No | Rarely needed |
Cost Management in CI
Running AI models in CI can add up. Here are strategies to keep costs under control:
1. Limit Token Usage
with:
max_tokens: 2048 # Cap output tokens per run2. Filter Which Files Trigger Reviews
on:
pull_request:
paths:
- 'src/**'
- 'lib/**'
- '!**/*.md' # Skip documentation-only changes
- '!**/*.txt'
- '!.github/**' # Skip workflow file changes3. Skip Trivial PRs
jobs:
review:
if: |
github.event.pull_request.draft == false &&
github.event.pull_request.changed_files > 0
runs-on: ubuntu-latest4. Use Cost-Effective Models for Triage
Use a smaller model for simple tasks and a larger one for deep reviews:
# For issue triage (simpler task)
with:
model: claude-haiku-4-20250514
# For security scanning (complex task)
with:
model: claude-sonnet-4-202505145. Set Monthly Budget Alerts
Monitor your Anthropic API usage dashboard and configure spending alerts to avoid surprise bills.
6. Cache Where Possible
If your workflow reads large files that don't change often, consider caching strategies to avoid re-reading them on every run.
Cost Estimation Table
| Workflow | Runs/Month | Avg Tokens | Est. Cost |
|---|---|---|---|
| PR review | 100 | 3,000 | ~$3–5 |
| Issue triage | 50 | 1,000 | ~$0.50 |
| Security scan | 30 | 5,000 | ~$3–4 |
| Test suggestions | 100 | 2,000 | ~$2–3 |
Costs vary by model and token pricing. Check the Anthropic pricing page for current rates.
Putting It All Together: Multi-Workflow Repository
A well-configured repository might have all of these workflows running together:
.github/
workflows/
claude-pr-review.yml # Runs on every PR
claude-issue-triage.yml # Runs on new issues
claude-security-scan.yml # Runs on pushes to main
claude-test-suggestions.yml # Runs on PRs with code changes
claude-changelog.yml # Runs on new releases
Each workflow is independent and focused on one task. This separation makes it easy to enable, disable, or modify individual automations without affecting the others.
Workflow Status Badges
Add status badges to your README to show workflow health:
Debugging and Troubleshooting
Common Issues
| Problem | Cause | Solution |
|---|---|---|
| Action fails with 401 | Invalid API key | Check your secret is named correctly and not expired |
| No comments appear | Missing permissions | Add pull-requests: write to permissions |
| Workflow never triggers | Wrong event type | Verify the on section matches your use case |
| Timeout errors | PR too large | Increase timeout or limit file paths |
| High costs | No token limits | Add max_tokens and path filters |
Viewing Workflow Logs
- Go to the Actions tab in your repository
- Click on the workflow run
- Expand the step to see Claude's output and any errors
Testing Workflows Locally
Use act to test GitHub Actions locally before pushing:
# Install act
brew install act
# Run a specific workflow
act pull_request -W .github/workflows/claude-review.ymlSummary
| Concept | What You Learned |
|---|---|
| GitHub Actions | CI/CD platform built into GitHub |
| Claude Code Action | Official action for running Claude in workflows |
| PR review | Automated code review on every pull request |
| Issue triage | Automatic labeling and categorization |
| Security scanning | AI-powered vulnerability detection |
| Test generation | Suggested tests for changed code |
| Changelog | Automated release notes |
| Secrets | Secure storage of API keys |
| Permissions | Least-privilege access control |
| Cost management | Token limits, path filters, model selection |
By integrating Claude Code into GitHub Actions, you transform your CI pipeline into an intelligent development assistant that catches issues early, maintains code quality, and automates tedious tasks — all while keeping costs under control.