claude-code-action/.github/workflows/claude.yml

name: Claude Code

on:
  issue_comment:
    types: [created]
  pull_request_review_comment:
    types: [created]
  issues:
    types: [opened, assigned]
  pull_request_review:
    types: [submitted]

jobs:
  claude:
    if: |
      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: read
      issues: read
      id-token: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 1

      - name: Setup Network Restrictions
        if: ${{ vars.DISABLE_NETWORK_RESTRICTIONS != 'true' }}
        run: |
          # Install and configure Squid proxy
          sudo apt-get update && sudo apt-get install -y squid

          # Create whitelist for allowed domains
          cat > /tmp/whitelist.txt << 'EOF'
          # Claude API
          .anthropic.com

          # GitHub (covers github.com, api.github.com, gist.github.com, etc.)
          .github.com

          # GitHub raw content and user uploads
          .githubusercontent.com

          # GitHub Container Registry
          ghcr.io

          # Package registries
          registry.npmjs.org
          bun.sh

          # Azure storage for GitHub Actions cache
          .blob.core.windows.net
          EOF

          # Configure Squid
          sudo tee /etc/squid/squid.conf << 'EOF'
          http_port 127.0.0.1:3128
          acl whitelist dstdomain "/tmp/whitelist.txt"
          acl localhost src 127.0.0.1/32
          http_access allow localhost whitelist
          http_access deny all
          cache deny all
          EOF

          # Stop any existing squid instance and start with our config
          sudo squid -k shutdown || true
          sleep 2
          sudo rm -f /run/squid.pid
          sudo squid -N -d 1 &
          sleep 5

          # Set proxy environment variables
          echo "http_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV
          echo "https_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV
          echo "HTTP_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV
          echo "HTTPS_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV
          # Bypass proxy for package registries to avoid integrity check issues
          echo "NO_PROXY=localhost,127.0.0.1,registry.npmjs.org,registry.yarnpkg.com" >> $GITHUB_ENV
          echo "no_proxy=localhost,127.0.0.1,registry.npmjs.org,registry.yarnpkg.com" >> $GITHUB_ENV

      - name: Run Claude Code
        id: claude
        uses: anthropics/claude-code-action@beta
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          allowed_tools: "Bash(bun install),Bash(bun test:*),Bash(bun run format),Bash(bun typecheck)"
          custom_instructions: "You have also been granted tools for editing files and running bun commands (install, run, test, typecheck) for testing your changes: bun install, bun test, bun run format, bun typecheck."
          model: "claude-opus-4-20250514"