Add workflows for Claude Code

[Planeshifter]

This PR

• adds workflows to enable automatic code reviews via Claude Code and ability to assign it tasks on PRs.

[claude]

Claude finished @Planeshifter's task —— View job

---

PR Review: Add workflows for Claude Code

Todo List:

• Read repository guidelines (CLAUDE.md) - No CLAUDE.md file found
• Review .github/workflows/claude-auto-review.yml
• Review .github/workflows/claude.yml
• Analyze security implications and permissions
• Evaluate existing review comments about permissions
• Provide comprehensive review feedback

---

Review Feedback

🔒 Critical: Permissions Issue

Graphite-app's review comment is correct. Both workflows require write permissions to function properly:

.github/workflows/claude-auto-review.yml:25 and .github/workflows/claude.yml:25

permissions:
  contents: read
  pull-requests: write  # ← Required for posting comments/reviews
  issues: write         # ← Required for responding to issues  
  id-token: write

The auto-review workflow specifically includes allowed_tools for PR review creation (line 37) but lacks the permissions to execute them. Without write permissions, Claude can read content but cannot post responses.

🔐 Security Concerns

1. Unpinned Action Version (.github/workflows/claude-auto-review.yml:21, .github/workflows/claude.yml:34):

   uses: anthropics/claude-code-action@beta  # ← Security risk

   Issue: Using @beta instead of a pinned version/SHA introduces supply chain security risks.
   Recommendation: Pin to a specific version or SHA once available, consistent with how other actions are pinned (e.g., checkout@11bd71901bbe5b1630ceea73d27597364c9af683).

🛠️ Configuration Issues

1. Missing allowed_tools (.github/workflows/claude.yml:34):
   The main Claude workflow lacks allowed_tools specification, limiting functionality. Consider adding appropriate tools based on intended use cases.

2. Inflexible Auto-Review Prompt (.github/workflows/claude-auto-review.yml:25-36):
   The hardcoded prompt is very specific. Consider if this level of detail should be configurable or if a more generic prompt would be better.

✅ Positive Aspects

• Good trigger conditions: Both workflows have appropriate event triggers
• Proper secret handling: Uses secrets.ANTHROPIC_API_KEY correctly
• Consistent action versioning: Uses same pinned SHA for checkout action as other workflows
• Reasonable timeout: 60-minute timeout for auto-review is appropriate

🔧 Recommendations

1. Immediate: Update permissions as suggested by graphite-app
2. Security: Pin claude-code-action to specific version when available
3. Consider: Adding allowed_tools to main Claude workflow based on intended functionality
4. Optional: Make auto-review prompt more configurable if needed

The workflows are well-structured overall but need the permissions fix to function correctly.