ci: add Claude Code GitHub workflow

[michen00]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

---

Note

Medium Risk
Introduces new GitHub Actions workflows that can run on PR and comment events using an external action and OIDC token permissions; misconfiguration could increase CI noise or permissions exposure.

Overview
Adds two new GitHub Actions workflows integrating anthropics/claude-code-action@v1.

claude.yml runs when issues/PRs are commented/reviewed with @claude, granting read permissions (including actions: read) plus id-token: write and optionally passing through additional permissions.

claude-code-review.yml adds an automated PR review job triggered on PR lifecycle events, invoking the code-review plugin with a fixed /code-review:code-review prompt against the current PR.

^{Written by Cursor Bugbot for commit ffa79c2. Configure here.}

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ffa79c2494

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Guard secret-backed review job on forked pull requests

This workflow runs on pull_request events but unconditionally injects secrets.CLAUDE_CODE_OAUTH_TOKEN; for PRs opened from forks, GitHub does not expose repository secrets to the run, so the Claude step will fail on every synchronize/update from external contributors instead of producing a review. Because this repo already accepts first-time/external PRs, this creates a recurring red CI signal unless the job is explicitly skipped for forks (or moved to a safe pull_request_target design).

Useful? React with 👍 / 👎.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

This PR is being reviewed by Cursor Bugbot

Details

Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[cursor]

Wrong marketplace name in plugin reference breaks review

High Severity

The plugins value references marketplace claude-code-plugins, but the actual marketplace name for https://github.com/anthropics/claude-code.git is anthropics/claude-code. The official plugin install syntax is plugin-name@anthropics/claude-code (e.g., /plugin install agent-sdk-dev@anthropics/claude-code), so the plugins field here needs to be code-review@anthropics/claude-code. Using the non-existent claude-code-plugins marketplace name will prevent the code-review plugin from being resolved, causing the entire code review workflow to fail silently or with an error on every PR.