Run Claude Code in GitHub Actions to Automatically Review Every Pull Request
Human code review is valuable but slow. Adding Claude Code as an automated first pass catches the low-hanging fruit — bugs, style issues, missing error handling, security gaps — before your teammates spend time on it.
# .github/workflows/claude-review.yml
name: Claude Code Review
on:
pull_request:
types: [opened, synchronize]
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Review PR with Claude
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
run: |
npm install -g @anthropic-ai/claude-code
DIFF=$(git diff origin/main...HEAD)
claude -p \
--dangerously-skip-permissions \
--max-turns 10 \
--allowedTools "Read,Glob,Grep" \
"Review this PR diff for bugs, security issues, \
missing error handling, and convention violations. \
Format as a markdown list with severity levels. \
Diff: $DIFF"
Claude runs in read-only mode — it can read your code and search the codebase for context, but it can't edit files or run commands. It reviews the diff against the existing codebase, understanding not just what changed but how it fits into the broader system.
You can customize the review focus in the prompt:
> Review for:
> 1. Bugs and logic errors
> 2. Security vulnerabilities (OWASP top 10)
> 3. Missing test coverage for new code paths
> 4. Violations of our project conventions (see CLAUDE.md)
> 5. Performance concerns (N+1 queries, missing indexes)
Claude reads your CLAUDE.md, so it enforces your team's specific conventions — not generic best practices. If your CLAUDE.md says "always use form requests for validation," Claude flags controllers that validate inline.
For posting results as a PR comment, pipe Claude's output to gh pr comment:
REVIEW=$(claude -p --max-turns 10 --allowedTools "Read,Glob,Grep" \
"review the PR diff...")
gh pr comment $PR_NUMBER --body "$REVIEW"
Automated review doesn't replace human review — it makes human review faster by handling the mechanical checks first.
via Claude Code
Log in to leave a comment.
Before deploying, tell Claude to read your project — migrations, environment variables, queue workers, scheduled tasks, caching, third-party integrations — and generate a deployment checklist that's specific to your app. Not a generic "did you run migrations?" list, but one that knows YOUR infrastructure and catches the things YOUR deploy can break.
Instead of writing a README from memory or copying a template, tell Claude to read your project and generate one that's actually accurate — real setup instructions from your config, real architecture from your directory structure, real API examples from your routes, and real prerequisites from your dependency files.
When you have a written specification — a PRD, a requirements doc, a technical design, or even detailed meeting notes — pipe it directly into Claude Code as context. Claude reads the full document, understands every requirement, and implements the feature exactly as specified instead of you re-explaining it piece by piece.