Take Your Development to the Next Level with Claude Code GitHub Action

※This is an English translation of this article.

Introduction

Hello! I'm Masataka Mayuzumi (X profile here), the CTO at OCT-PATH, Inc..

Thank you for all your hard work in your daily development tasks! To deliver amazing products to the world, we work together as a team to write, review, and continuously improve our code... that cycle is the true essence of creation, isn't it?

Now, the recent evolution of AI technology is truly remarkable. AI coding assistants, in particular, have become incredibly intelligent and hold the potential to drastically change our development styles.

"We should be able to develop more efficiently and with higher quality using AI!"

With this belief, we have been exploring ways to integrate AI into our team's development process. And now, we've found that a system of automation linking the much-talked-about Claude Code with GitHub Actions has brought about a more positive change to our team than we could have ever imagined. I'd like to share our findings with all of you.

I hope this article provides some hints for making your team's development process even better.

Two 'Missed Opportunities' Our Team Faced

Our team was facing challenges similar to those found in many development environments.

Challenge 1: Person-Dependent Reviews and Psychological Hurdles

As the accuracy of AI coding tools improves, the quality of code written by individuals is certainly on the rise. However, as long as we develop as a team, code reviews remain essential.

But haven't you encountered these "missed opportunities"?

• Development comes to a halt while waiting for a review.
• The points of feedback vary depending on the reviewer.
• A psychological hurdle emerges, like "This person's reviews are tough, so I'm hesitant to open a pull request..."

Even if we recommend using AI, forcing everyone to do so is difficult in reality. That's why we thought if we had a "system where a fair AI review is automatically conducted no matter who opens a pull request," we could solve these issues.

We also anticipate a secondary benefit from this system: making individual skills visible. It should lead to a healthy sense of competition and motivation for skill improvement, with thoughts like, "A-san's pull requests always have few suggestions from the AI. That's amazing!" or "I'll aim for zero suggestions next time!"

Challenge 2: High-Cost and Often Formalistic Vulnerability Scans

Security is one of the most critical factors supporting a product's reliability. However, traditional vulnerability scanning has centered on manual checks by experts, which inevitably becomes costly. As a result, it can't be performed frequently, and often ends up being limited to checks right before a release or just a few times a year.

However, recent AI can understand an extremely broad context. Its ability to read the entire source code and detect vulnerability patterns that humans might overlook has improved dramatically.

So, we thought, "Couldn't we leverage AI to conduct regular, low-cost vulnerability scans of our entire source code?" This would allow us to discover security risks early in the development process and reduce rework.

What We Achieved with Claude Code GitHub Actions

The system we built utilizes the open-source "Claude Code Action" to solve these challenges. Specifically, it achieves the following two things:

1. AI-Powered Automatic Code Reviews for Pull Requests
   • Whenever a pull request is created or updated, the AI (Claude) automatically posts review comments.
2. Monthly Source Code Vulnerability Scans with Slack Notifications
   • Once a month, the AI performs a vulnerability scan on the entire source code, automatically creates an Issue summarizing the results, and then sends a notification to Slack.

With this setup, we aim to achieve standardization of code quality and improvement of security levels, automatically and continuously.

Essential Background Knowledge

For those thinking, "This sounds useful, but what are Claude and GitHub Actions anyway?", here's a brief explanation.

What is Claude Code?

Claude is a highly advanced AI developed by Anthropic. It particularly excels at understanding and generating long texts, as well as coding. You can think of "Claude Code" as a version of Claude specialized as a coding assistant. It can become a reliable partner for developers, helping with code reviews, refactoring, and pointing out vulnerabilities.

What are GitHub Actions?

GitHub Actions is a CI/CD (Continuous Integration/Continuous Deployment) tool built into GitHub. It allows you to automate a series of tasks like testing, building, and deploying, triggered by events on GitHub such as a git push or the creation of a pull request. It's truly a behind-the-scenes hero that eliminates tedious manual development work.

What's So Great About Claude Code GitHub Actions?

The fundamental appeal of this tool is its simplicity: you can request code reviews and fixes interactively just by mentioning "@claude" on GitHub.

In this article, we apply this feature to automatically execute that "@claude" mention itself, triggered by events like pull request creation.

The goal is to build a robust "system" where AI checks are always performed without the developer even having to think about it.

What is the Very Important "CLAUDE.md"?

This is the "heart" of our system. If you create a file named CLAUDE.md in the root of your repository or in the .github directory, Claude will read the instructions and rules written in this file and perform its reviews and scans accordingly.

Setup Guide: Let's Achieve Automation with Two Files!

Now, let's get to the main topic: the setup method. There will be some code from here on, but don't worry, I'll explain each part carefully. I've made it so you can copy and paste!

By simply adding the following two YAML files to your repository, the magic of automation will begin.

1. .github/workflows/claude.yml (The main file for running Claude)
2. .github/workflows/slack-notification.yml (A file for sending vulnerability scan results to Slack)

And I strongly recommend creating the instruction manual for the AI, CLAUDE.md, at the same time.

Preparing CLAUDE.md and an Important Rule

First, let's create the instruction manual for the AI, CLAUDE.md. If you write your review and vulnerability scan rules here, the AI will faithfully follow them.

And, to ensure the Slack notifications we'll set up later function correctly, please make sure to include the following required keywords in your vulnerability scan guidelines. This is an important promise to mechanically determine from the AI's scan results whether vulnerabilities were found or not. (The guidelines are just a sample, so please feel free to set them freely for each project.)

# Instructions for Claude

## Code Review Guidelines

- **Readability:** Are variable and function names clear? Are comments appropriate?
- **Performance:** Are there any unnecessary loops or inefficient processes?
- **Security:** Are there risks of SQL injection or cross-site scripting?
- **Custom Rule:** All constants must be defined in uppercase snake_case.

---

## Vulnerability Scan Guidelines

Please scan the entire source code for vulnerabilities, focusing on the OWASP Top 10.
The scan results should be output in the format described below.

### Required Keywords
The vulnerability scan results must include the following keywords:

**On scan completion:**
- Vulnerabilities found: `VULNERABILITY_SCAN_RESULT: ISSUES_FOUND`
- No issues found: `VULNERABILITY_SCAN_RESULT: CLEAN`

**Severity notation:**
- `SEVERITY: CRITICAL` (If critical vulnerabilities exist)
- `SEVERITY: HIGH` (If high vulnerabilities exist)

### Example Scan Report Format
VULNERABILITY_SCAN_RESULT: ISSUES_FOUND
SEVERITY: CRITICAL

1. Main Configuration for Running Claude (claude.yml)

Create a file named .github/workflows/claude.yml and paste the following content into it.

name: Claude PR Assistant

on:
  # Trigger for responding to @claude mentions
  issue_comment:
    types: [created]
  pull_request_review_comment:
    types: [created]
  issues:
    types: [opened, assigned]
  pull_request_review:
    types: [submitted]

  # Trigger for automatic pull request reviews
  pull_request:
    types: [opened, synchronize, reopened]

  # Trigger for monthly vulnerability scans (cron format)
  schedule:
    # Runs at 00:00 UTC on the 1st of every month (9:00 AM JST)
    - cron: "0 0 1 * *"

jobs:
  # --- Job 1: Job for Automatic Pull Request Reviews ---
  auto-pr-review:
    # This job only runs when a pull request is created or updated
    if: github.event_name == 'pull_request'
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
      id-token: write # Added in case Claude Code Action uses OIDC authentication
    steps:
      - name: Add auto review comment as user
        uses: actions/github-script@v7
        with:
          # Use a user's PAT here to comment as a human, not a bot
          github-token: ${{ secrets.USER_PAT }}
          script: |
            await github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: '@claude Please review this pull request.'
            });

  # --- Job 2: Job for Automatically Creating a Vulnerability Scan Issue ---
  auto-vulnerability-scan:
    # This job only runs on a schedule
    if: github.event_name == 'schedule'
    runs-on: ubuntu-latest
    permissions:
      contents: read
      issues: write
      id-token: write
    steps:
      - name: Create vulnerability scan issue as user
        uses: actions/github-script@v7
        with:
          # Also use a user's PAT to create the issue as a human
          github-token: ${{ secrets.USER_PAT }}
          script: |
            const now = new Date();
            const jstTime = now.toLocaleString('ja-JP', { timeZone: 'Asia/Tokyo' });
            
            await github.rest.issues.create({
              owner: context.repo.owner,
              repo: context.repo.repo,
              title: `【Automatic】Monthly Vulnerability Scan Report (${now.getFullYear()}/${now.getMonth() + 1})`,
              body: `@claude Please run the scheduled vulnerability scan.\n\n## Execution Time\n${jstTime}\n\nPlease follow the "Vulnerability Scan Guidelines" in CLAUDE.md for detailed scan criteria and output format.\nAppend the scan results as a comment to this issue.`,
              labels: ['security', 'vulnerability-scan', 'automated']
            });

  # --- Job 3: Job to Trigger Claude in Response to @claude Mentions ---
  claude-code-action:
    # Runs when a comment or issue containing "@claude" is created
    if: |
      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
      (github.event_name == 'issues' && contains(github.event.issue.body, '@claude'))
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
      issues: write
      id-token: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          # Fetch only the latest code, not the entire history, for speed
          fetch-depth: 1

      - name: Run Claude PR Action
        uses: anthropics/claude-code-action@beta # Thanks for this amazing Action!
        with:
          # Read the Anthropic API key from secrets
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          # Set a longer timeout to avoid issues with large codebases
          timeout_minutes: "60"
        id: claude-action

2. Configuration for Slack Notifications (slack-notification.yml)

Next is the configuration for sending vulnerability scan results to Slack. Create a file named .github/workflows/slack-notification.yml and paste the following content.

name: Slack Vulnerability Monitor

on:
  issue_comment:
    # Triggers when a comment is created or edited on an issue
    types: [created, edited]

# Concurrency control
concurrency:
  # Prevents multiple notification workflows for the same issue from running simultaneously
  group: ${{ github.workflow }}-${{ github.event.issue.number }}
  # If a new trigger occurs while one is running, cancel the old one and run the new one
  cancel-in-progress: true

jobs:
  vulnerability-notify:
    # Runs if the comment contains the "scan complete keyword" from CLAUDE.md,
    # the issue has the 'vulnerability-scan' label,
    # and has not yet been notified to Slack (no 'slack-notified' label).
    if: >
      contains(github.event.comment.body, 'VULNERABILITY_SCAN_RESULT:') &&
      !contains(github.event.issue.labels.*.name, 'slack-notified') &&
      contains(github.event.issue.labels.*.name, 'vulnerability-scan')
    runs-on: ubuntu-latest
    permissions:
      contents: read
      issues: write # 'write' permission is needed to add a label after notification
    steps:
      - name: Notify Slack
        uses: slackapi/slack-github-action@v1.25.0
        with:
          payload: |
            {
              "text": "🔒 Vulnerability scan for `${{ github.repository }}` is complete. Please check the issue for results.\n<${{ github.event.comment.html_url }}|${{ github.event.issue.title }}>"
            }
        env:
          # Read the Slack Webhook URL from secrets
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

      - name: Add 'slack-notified' label to issue
        # Add a label after Slack notification to prevent duplicate notifications
        uses: actions/github-script@v7
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            await github.rest.issues.addLabels({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: context.issue.number,
              labels: ['slack-notified']
            });

3. Setting Up Environment Variables (Secrets)

You need to register the API keys and other variables used in the configuration files as Secrets in your GitHub repository. You can do this from your repository's Settings > Secrets and variables > Actions.

• ANTHROPIC_API_KEY: Your API key from Anthropic.
• USER_PAT: Your GitHub Personal Access Token (PAT).
• SLACK_WEBHOOK_URL: The Incoming Webhook URL for Slack notifications.
  • For instructions on how to get this, articles like this one on Zenn (in Japanese) are very helpful. You might want to ask your infrastructure manager or post it to your project's channel.

【🪏A Quick Deep Dive】Why is USER_PAT Necessary?

This is a rather important point, so let me explain.

When a GitHub Action posts a comment on a pull request, that comment is attributed to the github-actions bot. However, the Claude Code Action is designed to not respond to mentions from bots for security reasons.

Therefore, by using a USER_PAT, we make it appear as if a human (you) made the comment, which in turn triggers Claude. It's a small trick, but it makes the automation run smoothly.

When generating a USER_PAT, it's a security best practice to grant only the minimum necessary permissions. For this setup, the following permissions are sufficient:

• repo (required for the claude.yml execution)
• issues:write (required for commenting on and labeling issues)
• pull_requests:write (required for commenting on pull requests)

What the Future Looks Like: How Will Your Development Process Change?

Once these settings are complete, your team's development process will transform like this.

Scenario 1: Automatic Code Review for Pull Requests

1. A team member creates a pull request.
2. GitHub Actions triggers immediately, and a comment "@claude Please review this pull request." is automatically posted on your behalf.
3. This comment triggers Claude! It reads the rules from CLAUDE.md and the entire source code, then begins the review.
4. A few minutes later, Claude posts the review results as a comment on the pull request.
   • (If suggestions are made) It provides specific points for improvement. The team member reads them, makes corrections, and pushes the commits again. Then, the automatic review runs again to check if the fixes are correct.
   • (If there are no suggestions) You'll get positive feedback like "This is excellent code!"
5. After a final check by a human, it's merged!

Scenario 2: Monthly Source Code Vulnerability Scan

1. At 9:00 AM on the first day of every month, GitHub Actions starts automatically.
2. An issue titled "【Automatic】Monthly Vulnerability Scan Report" is created automatically. The issue body contains "@claude Please run the scheduled vulnerability scan."
3. This mention triggers Claude! It begins a vulnerability scan on the entire repository's source code, following the scan rules in CLAUDE.md.
4. Once the scan is complete, Claude adds the results as a comment on the issue.
5. Detecting this comment, the Slack notification workflow is triggered.
6. A notification saying "Vulnerability scan is complete" is sent to the specified Slack channel.
7. Team members see the notification, check the issue, and if any critical vulnerabilities are found, they can immediately plan a response.

In Conclusion

How was it?
I was personally thrilled while setting this up, seeing just how much team development can be advanced by AI automation. I'm sure you will all be amazed by the high level of contextual understanding in recent AI models.

It's not about "AI taking our jobs," but rather "making AI our best partner, so humans can focus on more creative work." I am convinced that this is the stage that engineering is moving towards in the future.

If we don't proactively embrace this kind of AI utilization, we might find ourselves left behind by the global pace of development before we know it. That would be a huge missed opportunity, both for companies and for individuals.

Our team will continue to grow alongside AI, taking on the challenge of delivering the best products to our users at the fastest possible speed. As a CTO, nothing would make me happier than if this article becomes the catalyst for your team to take that first step.

Please give it a try with your team! And if you have any better ideas or ways to use it, please let me know.

Happy Hacking!!🐙

Finally, please allow me to introduce our corporate services.🙏

AI & Web3 Development Services

Our company provides high-quality, fast-turnaround development services by leveraging cutting-edge AI technology. We have extensive experience and expertise, especially in the AI and Web3 domains, and we strongly support our clients' digital transformation.

If your company is interested in our services, please feel free to contact us through our company website.

NeoTechPark Community Collaboration

Our engineer community, "NeoTechPark," is home to many talented young Indonesian engineers who actively exchange technical knowledge.

We are currently actively promoting initiatives to discover talent and foster technical exchange by holding joint hackathons with corporate partners. We can plan and manage events focused on developing solutions using the latest AI technologies, including the creation of AI agents, which have been gaining a lot of attention lately.

If your company is interested in collaborating with global talent or putting next-generation AI technology into practice, we would be delighted to hear from you.

For inquiries and consultations, please contact us via our company website.