claude code + github actions CI/CD
Table of content
by Ray Svitla
Anthropic shipped an official GitHub Action for Claude Code. it’s called claude-code-action and it lets Claude review PRs, respond to comments, and even push code changes — all triggered by GitHub events.
I’ve been running it on three repos for two months. here’s what I’ve learned, including the parts the docs gloss over.
the fast setup
the easiest path: open Claude Code locally and run /install-github-app. it walks you through installing the GitHub App, setting secrets, and creating workflow files. takes about five minutes if nothing goes wrong.
if you prefer manual setup, you need two things:
- an
ANTHROPIC_API_KEYin your repo’s secrets - a workflow file in
.github/workflows/
minimal workflow for PR review:
name: claude-review
on:
pull_request:
types: [opened, synchronize]
issue_comment:
types: [created]
jobs:
review:
if: |
github.event_name == 'pull_request' ||
(github.event_name == 'issue_comment' &&
contains(github.event.comment.body, '@claude'))
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
issues: write
steps:
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
that’s it. Claude reviews every new PR and responds when someone comments @claude on a PR.
what it actually does
on PR open, Claude reads the diff, understands the context, and posts a review. not a line-by-line nitpick — a structured review that covers logic issues, potential bugs, style inconsistencies, and missing test coverage.
the @claude trigger is more interesting. you can ask Claude to do things in the PR conversation:
- “@claude can you refactor this function to use early returns?”
- “@claude write tests for the new endpoint”
- “@claude explain why this migration is safe”
Claude reads the conversation context, makes changes if needed, and pushes commits directly to the PR branch. watching an AI push commits to your PR from a GitHub comment is initially terrifying and eventually addictive.
the CLAUDE.md connection
Claude Code in GitHub Actions reads your repo’s CLAUDE.md file. this means your coding standards, project conventions, and review criteria carry over to automated reviews.
this is where most people underperform. they set up the action but leave their CLAUDE.md generic. a CLAUDE.md that says “follow best practices” produces reviews that say “looks good.” a CLAUDE.md that says “every async function needs error boundaries, use zod for validation, no default exports” produces reviews that catch real issues.
invest thirty minutes in your CLAUDE.md before enabling the action. the ROI is absurd.
custom workflows beyond review
PR review is the obvious use case, but the action supports arbitrary Claude Code tasks. some workflows I’ve seen work well:
auto-labeling PRs. Claude reads the diff, determines which areas of the codebase are affected, and applies labels. faster and more consistent than humans remembering to label things.
changelog generation. on release branches, Claude reads all merged PRs since the last tag and generates a human-readable changelog. the output needs light editing but beats writing changelogs manually.
documentation checks. Claude compares code changes against docs in the same repo. if you changed an API endpoint but didn’t update the docs, it flags it. the staleness police nobody asked for but everyone needs.
dependency review. on PRs that touch package files, Claude analyzes what changed and flags known issues, breaking changes, or security advisories. not a replacement for Dependabot but a useful supplement.
the gotchas
cost. every PR review costs API tokens. for active repos with many PRs, this adds up. set up filters — maybe only review PRs targeting main, or PRs over a certain size. reviewing a one-line typo fix wastes money.
rate limits. if your CI runs many jobs concurrently, you’ll hit API rate limits. stagger your workflows or use a queue.
context limits. huge PRs (500+ files changed) exceed Claude’s context window. the action handles this gracefully — it reviews what fits — but the review quality degrades on massive diffs. break up large PRs. you should be doing this anyway.
false confidence. the most dangerous failure mode. Claude posts a confident review that misses a critical bug. it happens. automated review supplements human review; it doesn’t replace it. if you remove human reviewers because “Claude handles it,” you will regret this.
the workflow I actually run
# only review non-trivial PRs to main
on:
pull_request:
branches: [main]
types: [opened, synchronize]
plus a CLAUDE.md section specifically for CI review:
## ci review priorities
1. security: auth checks, input validation, secret handling
2. correctness: logic errors, edge cases, error handling
3. tests: new code should have tests, changed code should update tests
4. skip: formatting, naming bikesheds, import ordering
telling Claude what to skip is as important as telling it what to check. otherwise you get reviews that are 80% style nitpicks and 20% substance.
what’s your biggest frustration with code review right now — the review itself, or getting people to do it?
→ CLAUDE.md guide — make your instruction file work harder → ai code review patterns — deeper review strategies → claude code setup — local setup first
Ray Svitla stay evolving