CloudCodeTree LogoCloudCodeTree
AI NewsTutorialsAbout
CloudCodeTree Logo
CloudCodeTree
  • AI News
  • Tutorials
  • About
← Back to AI News
Wire Claude Into Your PR Pipeline: The Official claude-code-action Gets You Reviews in 10 Lines of YAML

Wire Claude Into Your PR Pipeline: The Official claude-code-action Gets You Reviews in 10 Lines of YAML

Chris Harper

3 min read

Jul 5, 2026 · 12:06 UTC

AI
Workflow
Claude Code
Agents
Best Practices

TL;DR: Anthropic's official claude-code-action@v1 runs a full Claude Code agent in your GitHub Actions runner — 10 lines of YAML, then mention @claude in any PR comment to trigger an agent task.

anthropics/claude-code-action is Anthropic's official GitHub Action, built on the Agent SDK, that turns a standard GitHub Actions runner into a Claude Code session. It works in two modes: interactive (responds to @claude mentions in PR comments, issues, or review threads) and automation (runs on a schedule or trigger with a fixed prompt, no mention needed).

Setup: the fast path

Open Claude Code in your terminal and run /install-github-app. The command walks through adding the GitHub App and the ANTHROPIC_API_KEY secret to your repo. Or set it up manually:

1. Add ANTHROPIC_API_KEY to your repo secrets. Then create .github/workflows/claude.yml:

name: Claude Code
on:
  issue_comment:
    types: [created]
  pull_request_review_comment:
    types: [created]

jobs:
  claude:
    if: contains(github.event.comment.body, '@claude')
    runs-on: ubuntu-latest
    timeout-minutes: 10
    permissions:
      contents: write
      pull-requests: write
      issues: read
    steps:
      - uses: anthropics/claude-code-action@v1
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}

That's the full setup. Now any PR reviewer can type @claude check this for SQL injection and Claude runs the full analysis, posts findings as a review comment, and optionally pushes a fix.

What you can ask in a comment

  • @claude review this PR for security issues
  • @claude add type hints to the functions changed in this diff
  • @claude explain why this algorithm is O(n²) and suggest an improvement

Claude reads the full diff, the repo content, and your CLAUDE.md — same context as a local session.

Automation mode

Replace the trigger with schedule or push and set prompt: directly in the YAML for hands-off automation — security scans on every push, dependency audits on merge, test coverage checks nightly.

- uses: anthropics/claude-code-action@v1
  with:
    prompt: "Review the diff for security issues and post a summary comment on the PR."
    anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}

Three things to configure before you go live

Cost: Each @claude invocation is a full Claude Code session billed against your API key. The timeout-minutes: 10 in the example above caps runaway sessions — always include it.

Fork security: pull_request_review_comment events from forked PRs cannot access secrets by default — that's the safe path. Use pull_request_target only after reading GitHub's security hardening guide.

Permissions: contents: write + pull-requests: write lets Claude push commits and post reviews. Scope to what you actually need.

Sources: Claude Code GitHub Actions — Claude Code Docs | anthropics/claude-code-action — GitHub | claude-code-action — GitHub Marketplace | Securing CI/CD in an agentic world — Microsoft Security Blog