Add Claude Code GitHub Workflow

[martin-augment]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

---

Note

Adds two GitHub Actions workflows to run Claude Code on @claude mentions and to auto-review PRs with predefined permissions and tools.

• CI/GitHub Actions:
  • New workflow /.github/workflows/claude.yml:
    • Triggers on issue/PR comments and reviews containing @claude, and on issue events.
    • Runs anthropics/claude-code-action@v1 with read permissions (incl. actions) and optional additional_permissions.
  • New workflow /.github/workflows/claude-code-review.yml:
    • Triggers on PR opened/synchronize to run automated code reviews with a custom prompt.
    • Configures allowed gh Bash tools via claude_args for commenting and PR/issue queries.

^{Written by Cursor Bugbot for commit c48e244. This will update automatically on new commits. Configure here.}

[cursor]

Bug: Workflow permission mismatch blocks PR commenting

The workflow permissions only grant read access to pull-requests and issues, but the workflow instructs Claude to use gh pr comment (line 52) to leave comments on PRs. Commenting on pull requests requires pull-requests: write permission. Without write permission, the gh pr comment command will fail with a permission denied error, preventing Claude from posting its code review.

 

[cursor]

Bug: Missing write permissions for Claude responses

The workflow permissions only grant read access to pull-requests and issues, but Claude needs to write comments in response to @claude mentions. The workflow is triggered by comments on issues and PRs (lines 4-11) and Claude needs to respond by creating comments, which requires pull-requests: write and issues: write permissions. Without write permissions, Claude cannot post responses to user requests.

 

[claude]

Code Review for Claude Code GitHub Workflow

Thank you for adding the Claude Code integration! This is a well-structured PR that adds useful automation capabilities. Here's my detailed review:

---

✅ Positives

1. Clear Documentation: The PR description is comprehensive and explains what Claude Code is, how it works, and security considerations
2. Dual Workflow Approach: Separating interactive @claude mentions from automatic PR reviews is a good design choice
3. Security Considerations: The workflows appropriately use secrets and limit permissions to what's needed
4. Flexible Configuration: The commented-out sections provide good examples for future customization

---

🔍 Issues & Recommendations

Critical: Missing Apache License Headers

Issue: Both workflow files are missing the Apache Software Foundation (ASF) license headers that are required in this repository.

Evidence: All other workflow files in .github/workflows/ include the ASF license header (see rust.yml:1-16).

Required Fix: Add this header to both files:

# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.

Files affected:

• .github/workflows/claude.yml:1
• .github/workflows/claude-code-review.yml:1

---

High Priority: Consider Concurrency Control

Issue: The workflows don't include concurrency controls, which could lead to multiple Claude instances running simultaneously on the same PR.

Recommendation: Add concurrency control like other workflows in this repo (see rust.yml:20-22):

concurrency:
  group: ${{ github.repository }}-${{ github.head_ref || github.sha }}-${{ github.workflow }}
  cancel-in-progress: true

Benefits:

• Prevents wasted CI resources from duplicate runs
• Avoids potential race conditions with multiple Claude instances
• Aligns with existing repository patterns

---

Medium Priority: Security & Access Control

Observations:

1. Write Access Requirement: The PR description mentions "Only users with write access to the repository can trigger the workflow" but this isn't enforced in the workflow file. Consider adding explicit checks if this is a security requirement.

2. Broad Trigger Scope (claude-code-review.yml): The workflow runs on ALL PRs when they're opened or synchronized. For a large active repository like DataFusion, this could:

   • Generate significant API costs
   • Create noise if Claude comments on every PR
   • Overwhelm contributors with automated feedback

   Recommendation: Consider one or more of these approaches:

   • Use the commented paths: filter to only review code files (uncomment lines 6-10)
   • Use the commented author filter to only review PRs from specific contributors
   • Add a label-based trigger (e.g., only run when needs-review label is applied)
   • Start with manual @claude reviews only and add auto-review later if desired

3. Permission Granularity: The additional_permissions in claude.yml:40-41 grants actions: read. While this is documented as optional for reading CI results, verify this is necessary for your use case.

---

Low Priority: Code Quality & Best Practices

1. Fetch Depth (.github/workflows/claude-code-review.yml:32):

   • fetch-depth: 1 is a shallow clone
   • This may limit Claude's ability to understand full PR context or view commit history
   • Recommendation: Consider fetch-depth: 0 or omitting this parameter (default is full history) to give Claude more context

2. Commented Code: Both files have extensive commented sections (lines 5-10, 14-18 in claude-code-review.yml; line 43 in claude.yml)

   • These are helpful as documentation/examples
   • Consider if some should be removed or moved to separate documentation to keep files cleaner
   • Alternatively, keep them as they serve as useful inline documentation for future customization

3. Workflow Naming: The two workflows have similar names (Claude Code and Claude Code Review). Consider more distinctive names like:

   • Claude Code - Interactive and Claude Code - Auto Review
   • Or Claude Assistant and Claude PR Review

---

🧪 Test Coverage

Issue: No tests are included, but this is expected for workflow files.

Recommendation: After merging, thoroughly test both workflows:

1. Create a test PR and mention @claude in a comment to verify the interactive workflow
2. Open a test PR to verify the auto-review workflow triggers correctly
3. Verify that the CLAUDE_CODE_OAUTH_TOKEN secret is properly configured

---

⚡ Performance Considerations

1. API Costs: Claude API calls can add up, especially with auto-review on every PR. Monitor usage carefully.
2. Workflow Runtime: These workflows depend on external Claude API response times. Consider adding timeout configurations if needed.
3. Repository Size: DataFusion is a large codebase (~1M+ LOC). Ensure Claude has sufficient context limits for meaningful reviews.

---

🔒 Security Assessment

Overall security posture is good with these observations:

✅ Strengths:

• Secrets properly stored as GitHub Actions secrets
• Minimal required permissions granted
• Read-only access to repository contents
• Audit trail via GitHub Actions history

⚠️ Considerations:

• Verify CLAUDE_CODE_OAUTH_TOKEN is stored in repository secrets before merge
• The allowed tools in claude-code-review.yml:56 only permit gh commands (good practice)
• Consider adding tool restrictions to claude.yml as well for consistency

---

📋 Summary

Overall Assessment: This is a solid PR with good structure and documentation. The main blocker is the missing Apache license headers which must be added before merging.

Action Items:

1. ✋ MUST FIX: Add ASF license headers to both workflow files
2. 🎯 Strongly Recommend: Add concurrency controls
3. 💡 Consider: Evaluate whether auto-review should run on all PRs or use filters
4. 🧪 Post-merge: Thoroughly test both workflows in real scenarios

Once the license headers are added, this will be ready to merge. Great work on the comprehensive documentation and thoughtful workflow design!

---

Review generated by Claude Code on behalf of the DataFusion community