Add Claude Code GitHub Workflow

[ihrpr]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code documentation.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

[github-actions]

🎭 Playwright E2E Test Results

✅  12 passed

Details

12 tests across 1 suite
 20.6 seconds
 7667e56
ℹ️  Test Environment: Ubuntu Latest, Node.js v22.17.0
Browsers: Chromium, Firefox

📊 View Detailed HTML Report (download artifacts)

[ihrpr]

setting only two people so we can test prompt etc and tweak the parameters

[felixweinberger]

Looking forward to seeing this in action!

[ihrpr]

@claude review this PR

[claude]

Claude finished @ihrpr's task —— View job • claude/pr-593-20250710_133232 • [Create PR ➔](https://github.com/modelcontextprotocol/inspector/compare/main...claude/pr-593-20250710_133232?quick_pull=1&title=PR%20%23593%3A%20Changes%20from%20Claude&body=This%20PR%20addresses%20pr%20%23593%0A%0AGenerated%20with%20%5BClaude%20Code%5D(https%3A%2F%2Fclaude.ai%2Fcode)

---

PR Review: Claude Code GitHub Workflow

I've reviewed the Claude Code workflow implementation. Here's my comprehensive analysis:

Review Tasks:

• Read the Claude Code workflow file to understand the implementation
• Analyze security aspects and permissions in the workflow
• Check for GitHub Actions best practices and potential improvements
• Provide comprehensive review feedback in GitHub comment

---

🔍 Review Summary

This PR adds a well-structured Claude Code GitHub Actions workflow with good security practices and proper permission scoping.

✅ Strengths

Security:

• Proper permission scoping (.github/workflows/claude.yml:27-31): Uses minimal required permissions (contents: read, pull-requests: read, issues: read, id-token: write)
• Restricted actor access (.github/workflows/claude.yml:23-25): Only ihrpr and olaservo can trigger the workflow, reducing attack surface
• Secure secret management: API key properly stored as secrets.ANTHROPIC_API_KEY
• Official action usage: Uses the verified anthropics/claude-code-action@beta

Best Practices:

• Comprehensive trigger conditions (.github/workflows/claude.yml:15-20): Handles all relevant GitHub events (issue comments, PR reviews, issue creation)
• Efficient checkout (.github/workflows/claude.yml:36): Uses fetch-depth: 1 for performance
• Good documentation: Extensive comments explaining optional parameters (lines 44-64)
• Standard runner: Uses ubuntu-latest which is well-maintained

⚠️ Areas for Improvement

Stability & Versioning:

• Beta version risk (.github/workflows/claude.yml:40): Using @beta may introduce instability. Consider pinning to a specific version once stable releases are available.

Scalability:

• Limited user access (.github/workflows/claude.yml:23-25): Only 2 users can trigger Claude. Consider expanding to repository collaborators or team members as the workflow proves stable.

Configuration:

• Missing timeout: No timeout-minutes specified. Consider adding a reasonable timeout (e.g., 30-60 minutes) to prevent runaway jobs.
• Unused optional features: Several useful options are commented out:
  • allowed_tools (.github/workflows/claude.yml:54): Could enable specific npm commands for this project
  • custom_instructions (.github/workflows/claude.yml:57-60): Could include TypeScript and project-specific guidelines

📋 Recommendations

1. Add job timeout:

   jobs:
     claude:
       timeout-minutes: 60

2. Consider enabling project-specific tools:

   allowed_tools: "Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)"

3. Add custom instructions based on CLAUDE.md content:

   custom_instructions: |
     Follow TypeScript best practices
     Use React functional components with hooks
     Run npm run prettier-fix for formatting
     Follow existing naming conventions

4. Future consideration: Expand user access once the workflow is proven stable in production.

🎯 Overall Assessment

This is a solid implementation that prioritizes security and follows GitHub Actions best practices. The workflow is ready for production use with the current restricted access model for testing. The commented examples provide clear guidance for future customization.

Status: ✅ Approved - Well-implemented with good security practices. The suggestions above are enhancements rather than required changes.

---

[felixweinberger]

@claude can you review the comments on this PR and evaluate critically whether the recommend changes are good?

[cliffhall]

@claude can you review the comments on this PR and evaluate critically whether the recommend changes are good?

Good test of whether only @olaservo and @ihrpr can invoke it at the moment. Seems locked down.