"Claude Code Review workflow"

Clarifies which permissions are currently used (Contents, Pull Requests, Issues) versus those requested for planned future features (Discussions, Actions, Checks, Workflows).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude <noreply@anthropic.com>

.github/workflows/ci.yml

@@ -9,7 +9,7 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - uses: oven-sh/setup-bun@v2
         with:
@@ -24,7 +24,7 @@ jobs:
   prettier:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - uses: oven-sh/setup-bun@v1
         with:
@@ -39,7 +39,7 @@ jobs:
   typecheck:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - uses: oven-sh/setup-bun@v2
         with:

.github/workflows/claude-code-review.yml

@@ -0,0 +1,57 @@
+name: Claude Code Review
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+    # Optional: Only run on specific file changes
+    # paths:
+    #   - "src/**/*.ts"
+    #   - "src/**/*.tsx"
+    #   - "src/**/*.js"
+    #   - "src/**/*.jsx"
+
+jobs:
+  claude-review:
+    # Optional: Filter by PR author
+    # if: |
+    #   github.event.pull_request.user.login == 'external-contributor' ||
+    #   github.event.pull_request.user.login == 'new-developer' ||
+    #   github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
+
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      issues: read
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude Code Review
+        id: claude-review
+        uses: anthropics/claude-code-action@v1
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          prompt: |
+            REPO: ${{ github.repository }}
+            PR NUMBER: ${{ github.event.pull_request.number }}
+
+            Please review this pull request and provide feedback on:
+            - Code quality and best practices
+            - Potential bugs or issues
+            - Performance considerations
+            - Security concerns
+            - Test coverage
+
+            Use the repository's CLAUDE.md for guidance on style and conventions. Be constructive and helpful in your feedback.
+
+            Use `gh pr comment` with your Bash tool to leave your review as a comment on the PR.
+
+          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
+          # or https://docs.claude.com/en/docs/claude-code/cli-reference for available options
+          claude_args: '--allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"'
+

.github/workflows/claude-review.yml

@@ -13,7 +13,7 @@ jobs:
       id-token: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 1
 

.github/workflows/claude.yml

@@ -23,6 +23,7 @@ jobs:
       pull-requests: read
       issues: read
       id-token: write
+      actions: read # Required for Claude to read CI results on PRs
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -34,6 +35,16 @@ jobs:
         uses: anthropics/claude-code-action@v1
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
-          claude_args: |
-            --allowedTools "Bash(bun install),Bash(bun test:*),Bash(bun run format),Bash(bun typecheck)"
-            --model "claude-opus-4-1-20250805"
+
+          # This is an optional setting that allows Claude to read CI results on PRs
+          additional_permissions: |
+            actions: read
+
+          # Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.
+          # prompt: 'Update the pull request description to include a summary of changes.'
+
+          # Optional: Add claude_args to customize behavior and configuration
+          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
+          # or https://docs.claude.com/en/docs/claude-code/cli-reference for available options
+          # claude_args: '--allowed-tools Bash(gh pr:*)'
+

.github/workflows/issue-triage.yml

@@ -14,7 +14,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 

.github/workflows/release.yml

@@ -19,7 +19,7 @@ jobs:
       next_version: ${{ steps.next_version.outputs.next_version }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -91,7 +91,7 @@ jobs:
       contents: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -116,7 +116,7 @@ jobs:
     environment: production
     steps:
       - name: Checkout base-action repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           repository: anthropics/claude-code-base-action
           token: ${{ secrets.CLAUDE_CODE_BASE_ACTION_PAT }}

README.md

@@ -2,69 +2,69 @@
 
 # Claude Code Action
 
-*Fáilte!* Welcome to the friendliest [Claude Code](https://claude.ai/code) action this side of the Atlantic! This grand little action for GitHub PRs and issues is as handy as a pocket on a shirt - answering your questions and implementing code changes like nobody's business. Sure, it's clever enough to know when to jump in based on your workflow context—whether you're giving it a shout with @claude mentions, assigning issues, or running automation tasks with explicit prompts. And wouldn't you know it, it works with multiple authentication methods including Anthropic direct API, Amazon Bedrock, and Google Vertex AI. *Go raibh maith agat* for choosing this action!
+A general-purpose [Claude Code](https://claude.ai/code) action for GitHub PRs and issues that can answer questions and implement code changes. This action intelligently detects when to activate based on your workflow context—whether responding to @claude mentions, issue assignments, or executing automation tasks with explicit prompts. It supports multiple authentication methods including Anthropic direct API, Amazon Bedrock, and Google Vertex AI.
 
-## What Makes This Action Pure Class
+## Features
 
-- 🎯 **Smart as a Whip**: Automatically picks the right execution mode based on your workflow context—no faffing about with configuration needed, *fair play*!
-- 🤖 **Your Grand Code Companion**: Claude's a dab hand at answering questions about code, architecture, and programming - like having a wise old uncle who knows his stuff
-- 🔍 **Eagle-Eyed Code Review**: Takes a gander at your PR changes and suggests improvements that'd make your mammy proud
-- ✨ **Code Implementation Wizard**: Can implement simple fixes, refactoring, and even new features faster than you can say "sláinte"
-- 💬 **Smooth as Butter Integration**: Works like a dream with GitHub comments and PR reviews
-- 🛠️ **Handy Tool Access**: Gets at GitHub APIs and file operations (sure, you can enable more tools if you fancy)
-- 📋 **Keeps You in the Loop**: Visual progress indicators with checkboxes that update as Claude gets the job done
-- 🏃 **Runs on Your Own Turf**: The action runs entirely on your own GitHub runner (Anthropic API calls go where you tell them to)
-- ⚙️ **Dead Simple Setup**: Unified `prompt` and `claude_args` inputs make configuration as easy as Sunday morning
+- 🎯 **Intelligent Mode Detection**: Automatically selects the appropriate execution mode based on your workflow context—no configuration needed
+- 🤖 **Interactive Code Assistant**: Claude can answer questions about code, architecture, and programming
+- 🔍 **Code Review**: Analyzes PR changes and suggests improvements
+- ✨ **Code Implementation**: Can implement simple fixes, refactoring, and even new features
+- 💬 **PR/Issue Integration**: Works seamlessly with GitHub comments and PR reviews
+- 🛠️ **Flexible Tool Access**: Access to GitHub APIs and file operations (additional tools can be enabled via configuration)
+- 📋 **Progress Tracking**: Visual progress indicators with checkboxes that dynamically update as Claude completes tasks
+- 🏃 **Runs on Your Infrastructure**: The action executes entirely on your own GitHub runner (Anthropic API calls go to your chosen provider)
+- ⚙️ **Simplified Configuration**: Unified `prompt` and `claude_args` inputs provide clean, powerful configuration aligned with Claude Code SDK
 
-## 📦 Moving Up from v0.x, Are Ya?
+## 📦 Upgrading from v0.x?
 
-**Have a look at our [Migration Guide](./docs/migration-guide.md)** for step-by-step instructions on updating your workflows to v1.0. The new version makes configuration a doddle while keeping things working with most existing setups - *Bob's your uncle!*
+**See our [Migration Guide](./docs/migration-guide.md)** for step-by-step instructions on updating your workflows to v1.0. The new version simplifies configuration while maintaining compatibility with most existing setups.
 
-## Getting Started (It's Grand, Really!)
+## Quickstart
 
-The handiest way to set up this action is through [Claude Code](https://claude.ai/code) in the terminal. Just fire up `claude` and run `/install-github-app`.
+The easiest way to set up this action is through [Claude Code](https://claude.ai/code) in the terminal. Just open `claude` and run `/install-github-app`.
 
-This command will walk you through setting up the GitHub app and required secrets - sure it's as easy as boiling water!
+This command will guide you through setting up the GitHub app and required secrets.
 
-**Mind yourself now**:
+**Note**:
 
-- You'll need to be a repository admin to install the GitHub app and add secrets (*no getting around that one*)
-- This quickstart method is only for direct Anthropic API users. If you're using AWS Bedrock or Google Vertex AI, pop over to [docs/cloud-providers.md](./docs/cloud-providers.md) - they'll sort you right out.
+- You must be a repository admin to install the GitHub app and add secrets
+- This quickstart method is only available for direct Anthropic API users. For AWS Bedrock or Google Vertex AI setup, see [docs/cloud-providers.md](./docs/cloud-providers.md).
 
-## 📚 Brilliant Solutions & Ways to Use This Craic
+## 📚 Solutions & Use Cases
 
-Looking for specific automation patterns, are ya? Check our **[Solutions Guide](./docs/solutions.md)** - it's packed with complete working examples that'll have you sorted:
+Looking for specific automation patterns? Check our **[Solutions Guide](./docs/solutions.md)** for complete working examples including:
 
-- **🔍 Automatic PR Code Review** - Full review automation that's the bee's knees
-- **📂 Path-Specific Reviews** - Triggers when critical files change (sharp as a tack!)
-- **👥 External Contributor Reviews** - Special handling for new contributors (*céad míle fáilte* to them!)
-- **📝 Custom Review Checklists** - Keep your team standards tight as a drum
-- **🔄 Scheduled Maintenance** - Automated repository health checks that never sleep
-- **🏷️ Issue Triage & Labeling** - Automatic categorization faster than you can say "Tánaiste"
-- **📖 Documentation Sync** - Keeps docs updated with code changes like clockwork
-- **🔒 Security-Focused Reviews** - OWASP-aligned security analysis that's sound as a pound
+- **🔍 Automatic PR Code Review** - Full review automation
+- **📂 Path-Specific Reviews** - Trigger on critical file changes
+- **👥 External Contributor Reviews** - Special handling for new contributors
+- **📝 Custom Review Checklists** - Enforce team standards
+- **🔄 Scheduled Maintenance** - Automated repository health checks
+- **🏷️ Issue Triage & Labeling** - Automatic categorization
+- **📖 Documentation Sync** - Keep docs updated with code changes
+- **🔒 Security-Focused Reviews** - OWASP-aligned security analysis
 - **📊 DIY Progress Tracking** - Create tracking comments in automation mode
 
-Each solution comes with the full shebang - working examples, configuration details, and what you can expect. *Níl aon tinteán mar do thinteán féin* (there's no place like home), and these solutions will make your repository feel just like that!
+Each solution includes complete working examples, configuration details, and expected outcomes.
 
-## The Full Library (Everything You Need to Know!)
+## Documentation
 
-- **[Solutions Guide](./docs/solutions.md)** - **🎯 Ready-to-use automation patterns that'll knock your socks off**
-- **[Migration Guide](./docs/migration-guide.md)** - **⭐ Moving from v0.x to v1.0 without breaking a sweat**
-- [Setup Guide](./docs/setup.md) - Manual setup, custom GitHub apps, and security best practices (*sure, we've got you covered*)
-- [Usage Guide](./docs/usage.md) - Basic usage, workflow configuration, and input parameters - the bread and butter stuff
-- [Custom Automations](./docs/custom-automations.md) - Examples of automated workflows and custom prompts that'll make your life easier
-- [Configuration](./docs/configuration.md) - MCP servers, permissions, environment variables, and all the fancy advanced settings
-- [Experimental Features](./docs/experimental.md) - Execution modes and network restrictions for the adventurous types
-- [Cloud Providers](./docs/cloud-providers.md) - AWS Bedrock and Google Vertex AI setup (*for those who like their clouds with a bit of style*)
-- [Capabilities & Limitations](./docs/capabilities-and-limitations.md) - What Claude can and cannot do (we're keeping it real here)
-- [Security](./docs/security.md) - Access control, permissions, and commit signing (*safe as houses*)
-- [FAQ](./docs/faq.md) - Common questions and troubleshooting for when things go a bit sideways
+- **[Solutions Guide](./docs/solutions.md)** - **🎯 Ready-to-use automation patterns**
+- **[Migration Guide](./docs/migration-guide.md)** - **⭐ Upgrading from v0.x to v1.0**
+- [Setup Guide](./docs/setup.md) - Manual setup, custom GitHub apps, and security best practices
+- [Usage Guide](./docs/usage.md) - Basic usage, workflow configuration, and input parameters
+- [Custom Automations](./docs/custom-automations.md) - Examples of automated workflows and custom prompts
+- [Configuration](./docs/configuration.md) - MCP servers, permissions, environment variables, and advanced settings
+- [Experimental Features](./docs/experimental.md) - Execution modes and network restrictions
+- [Cloud Providers](./docs/cloud-providers.md) - AWS Bedrock and Google Vertex AI setup
+- [Capabilities & Limitations](./docs/capabilities-and-limitations.md) - What Claude can and cannot do
+- [Security](./docs/security.md) - Access control, permissions, and commit signing
+- [FAQ](./docs/faq.md) - Common questions and troubleshooting
 
-## 📚 Questions? We've Got Answers!
+## 📚 FAQ
 
-Having a bit of trouble or just curious about something? Take a gander at our [Frequently Asked Questions](./docs/faq.md) for solutions to common problems and detailed explanations of Claude's capabilities and limitations. Sure, we've probably answered it already - *great minds think alike!*
+Having issues or questions? Check out our [Frequently Asked Questions](./docs/faq.md) for solutions to common problems and detailed explanations of Claude's capabilities and limitations.
 
 ## License
 
-This project is licensed under the MIT License—see the LICENSE file for all the legal bits and bobs. *Slán go fóill!* (goodbye for now!)
+This project is licensed under the MIT License—see the LICENSE file for details.

action.yml

@@ -177,7 +177,7 @@ runs:
         # Install Claude Code if no custom executable is provided
         if [ -z "${{ inputs.path_to_claude_code_executable }}" ]; then
           echo "Installing Claude Code..."
-          curl -fsSL https://claude.ai/install.sh | bash -s 2.0.10
+          curl -fsSL https://claude.ai/install.sh | bash -s 2.0.24
           echo "$HOME/.local/bin" >> "$GITHUB_PATH"
         else
           echo "Using custom Claude Code executable: ${{ inputs.path_to_claude_code_executable }}"

base-action/README.md

@@ -336,7 +336,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 

base-action/action.yml

@@ -99,7 +99,7 @@ runs:
       run: |
         if [ -z "${{ inputs.path_to_claude_code_executable }}" ]; then
           echo "Installing Claude Code..."
-          curl -fsSL https://claude.ai/install.sh | bash -s 2.0.10
+          curl -fsSL https://claude.ai/install.sh | bash -s 2.0.24
         else
           echo "Using custom Claude Code executable: ${{ inputs.path_to_claude_code_executable }}"
           # Add the directory containing the custom executable to PATH

base-action/examples/issue-triage.yml

@@ -32,7 +32,7 @@ jobs:
                   "--rm",
                   "-e",
                   "GITHUB_PERSONAL_ACCESS_TOKEN",
-                  "ghcr.io/github/github-mcp-server:sha-7aced2b"
+                  "ghcr.io/github/github-mcp-server:sha-23fa0dd"
                 ],
                 "env": {
                   "GITHUB_PERSONAL_ACCESS_TOKEN": "${{ secrets.GITHUB_TOKEN }}"

docs/faq.md

@@ -127,7 +127,7 @@ For performance, Claude uses shallow clones:
 If you need full history, you can configure this in your workflow before calling Claude in the `actions/checkout` step.
 
 ```
-- uses: actions/checkout@v4
+- uses: actions/checkout@v5
   depth: 0 # will fetch full repo history
 ```
 

docs/security.md

@@ -19,11 +19,22 @@
 
 ## GitHub App Permissions
 
-The [Claude Code GitHub app](https://github.com/apps/claude) requires these permissions:
+The [Claude Code GitHub app](https://github.com/apps/claude) requests the following permissions:
 
-- **Pull Requests**: Read and write to create PRs and push changes
-- **Issues**: Read and write to respond to issues
-- **Contents**: Read and write to modify repository files
+### Currently Used Permissions
+
+- **Contents** (Read & Write): For reading repository files and creating branches
+- **Pull Requests** (Read & Write): For reading PR data and creating/updating pull requests
+- **Issues** (Read & Write): For reading issue data and updating issue comments
+
+### Permissions for Future Features
+
+The following permissions are requested but not yet actively used. These will enable planned features in future releases:
+
+- **Discussions** (Read & Write): For interaction with GitHub Discussions
+- **Actions** (Read): For accessing workflow run data and logs
+- **Checks** (Read): For reading check run results
+- **Workflows** (Read & Write): For triggering and managing GitHub Actions workflows
 
 ## Commit Signing
 

docs/solutions.md

@@ -35,7 +35,7 @@ jobs:
       pull-requests: write
       id-token: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 1
 
@@ -89,7 +89,7 @@ jobs:
       pull-requests: write
       id-token: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 1
 
@@ -153,7 +153,7 @@ jobs:
       pull-requests: write
       id-token: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 1
 
@@ -211,7 +211,7 @@ jobs:
       pull-requests: write
       id-token: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 1
 
@@ -268,7 +268,7 @@ jobs:
       pull-requests: write
       id-token: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 1
 
@@ -344,7 +344,7 @@ jobs:
       pull-requests: write
       id-token: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -456,7 +456,7 @@ jobs:
       pull-requests: write
       id-token: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 0
@@ -513,7 +513,7 @@ jobs:
       security-events: write
       id-token: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 1
 

examples/ci-failure-auto-fix.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           ref: ${{ github.event.workflow_run.head_branch }}
           fetch-depth: 0

examples/claude.yml

@@ -26,7 +26,7 @@ jobs:
       actions: read # Required for Claude to read CI results on PRs
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 1
 

examples/issue-deduplication.yml

@@ -15,7 +15,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 1
 

examples/issue-triage.yml

@@ -14,7 +14,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 

examples/manual-code-analysis.yml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 2 # Need at least 2 commits to analyze the latest
 

examples/pr-review-comprehensive.yml

@@ -16,7 +16,7 @@ jobs:
       id-token: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 1
 

examples/pr-review-filtered-authors.yml

@@ -18,7 +18,7 @@ jobs:
       id-token: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 1
 

examples/pr-review-filtered-paths.yml

@@ -19,7 +19,7 @@ jobs:
       id-token: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 1
 

src/mcp/install-mcp-server.ts

@@ -209,7 +209,7 @@ export async function prepareMcpConfig(
           "GITHUB_PERSONAL_ACCESS_TOKEN",
           "-e",
           "GITHUB_HOST",
-          "ghcr.io/github/github-mcp-server:sha-efef8ae", // https://github.com/github/github-mcp-server/releases/tag/v0.9.0
+          "ghcr.io/github/github-mcp-server:sha-23fa0dd", // https://github.com/github/github-mcp-server/releases/tag/v0.17.1
         ],
         env: {
           GITHUB_PERSONAL_ACCESS_TOKEN: githubToken,