
Wire Claude Into Your PR Pipeline: The Official claude-code-action Gets You Reviews in 10 Lines of YAML
Chris Harper
3 min read
Jul 5, 2026 · 12:06 UTC
TL;DR: Anthropic's official claude-code-action@v1 runs a full Claude Code agent in your GitHub Actions runner — 10 lines of YAML, then mention @claude in any PR comment to trigger an agent task.
anthropics/claude-code-action is Anthropic's official GitHub Action, built on the Agent SDK, that turns a standard GitHub Actions runner into a Claude Code session. It works in two modes: interactive (responds to @claude mentions in PR comments, issues, or review threads) and automation (runs on a schedule or trigger with a fixed prompt, no mention needed).
Setup: the fast path
Open Claude Code in your terminal and run /install-github-app. The command walks through adding the GitHub App and the ANTHROPIC_API_KEY secret to your repo. Or set it up manually:
1. Add ANTHROPIC_API_KEY to your repo secrets. Then create .github/workflows/claude.yml:
name: Claude Code
on:
issue_comment:
types: [created]
pull_request_review_comment:
types: [created]
jobs:
claude:
if: contains(github.event.comment.body, '@claude')
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
contents: write
pull-requests: write
issues: read
steps:
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
That's the full setup. Now any PR reviewer can type @claude check this for SQL injection and Claude runs the full analysis, posts findings as a review comment, and optionally pushes a fix.
What you can ask in a comment
@claude review this PR for security issues@claude add type hints to the functions changed in this diff@claude explain why this algorithm is O(n²) and suggest an improvement
Claude reads the full diff, the repo content, and your CLAUDE.md — same context as a local session.
Automation mode
Replace the trigger with schedule or push and set prompt: directly in the YAML for hands-off automation — security scans on every push, dependency audits on merge, test coverage checks nightly.
- uses: anthropics/claude-code-action@v1
with:
prompt: "Review the diff for security issues and post a summary comment on the PR."
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
Three things to configure before you go live
Cost: Each @claude invocation is a full Claude Code session billed against your API key. The timeout-minutes: 10 in the example above caps runaway sessions — always include it.
Fork security: pull_request_review_comment events from forked PRs cannot access secrets by default — that's the safe path. Use pull_request_target only after reading GitHub's security hardening guide.
Permissions: contents: write + pull-requests: write lets Claude push commits and post reviews. Scope to what you actually need.
Sources: Claude Code GitHub Actions — Claude Code Docs | anthropics/claude-code-action — GitHub | claude-code-action — GitHub Marketplace | Securing CI/CD in an agentic world — Microsoft Security Blog