Quick Setup (5 Minutes)
Two paths. The fast one takes 2 minutes if you have admin access to the repo.
Option 1: Automatic (Recommended)
Open Claude Code in your terminal and run the installer:
Terminal
claude
/install-github-appThis installs the Claude GitHub app, grants the required permissions (Contents, Issues, Pull Requests read/write), and adds your ANTHROPIC_API_KEY as a repository secret. You need to be a repository admin.
Option 2: Manual Setup
Three steps if the automatic installer fails or you prefer manual control:
1. Install the GitHub App
Go to github.com/apps/claude and install it on your repository. Grant Contents, Issues, and Pull Requests read/write permissions.
2. Add API Key Secret
In your repository Settings, go to Secrets and Variables, then Actions. Add ANTHROPIC_API_KEY with your Anthropic API key.
3. Add Workflow File
Copy the workflow YAML from anthropics/claude-code-action/examples/claude.yml into your repo's .github/workflows/ directory.
Test It
After setup, tag @claude in any issue or PR comment. Claude should respond within 30-60 seconds.
How It Works
The action (anthropics/claude-code-action@v1) runs Claude Code on a GitHub-hosted runner. Your code never leaves GitHub's infrastructure. API calls go to your configured provider (Anthropic, AWS, GCP, or Azure).
Three execution modes, detected automatically:
| Mode | Trigger | Behavior |
|---|---|---|
| Interactive | @claude mention in PR/issue comment | Reads context, responds to the request, can push commits |
| Automation | Workflow with prompt parameter | Runs the prompt immediately, outputs results |
| Review | PR opened/synchronized event | Analyzes PR diff, posts review comments |
The action supports the full Claude Code CLI, including MCP servers, custom skills, and CLAUDE.md project configuration. Whatever Claude can do locally, it can do in CI.
Workflow Examples
Basic: Respond to @claude Mentions
The simplest workflow. Claude responds when someone tags @claude in any issue or PR comment.
.github/workflows/claude.yml
name: Claude Code
on:
issue_comment:
types: [created]
pull_request_review_comment:
types: [created]
jobs:
claude:
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
issues: write
steps:
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}Automated PR Code Review
Claude reviews every PR automatically on open or update. It checks code quality, performance, and security, then posts inline comments.
.github/workflows/review.yml
name: Claude Code Review
on:
pull_request:
types: [opened, synchronize]
jobs:
review:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt: |
Review this PR for:
- Code quality and adherence to project standards
- Performance regressions
- Security vulnerabilities
- Missing error handling
claude_args: "--max-turns 5"Issue-to-PR: Auto-Implement Features
Assign an issue to Claude, and it creates a PR with the implementation. Add @claude to the issue body or assign the issue directly.
.github/workflows/implement.yml
name: Claude Implementation
on:
issues:
types: [opened, assigned]
jobs:
implement:
if: contains(github.event.issue.body, '@claude')
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
issues: write
steps:
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
claude_args: "--model claude-opus-4-6 --max-turns 15"Scheduled Maintenance
Run Claude on a cron schedule for dependency updates, documentation sync, or codebase cleanup.
.github/workflows/maintenance.yml
name: Weekly Maintenance
on:
schedule:
- cron: '0 9 * * 1' # Every Monday at 9am UTC
jobs:
maintenance:
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
steps:
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt: |
Check for outdated dependencies.
If any are found, create a PR updating them.
Include a summary of what changed and why.
claude_args: "--max-turns 10"Path-Specific Review
Trigger reviews only when specific directories change. Useful for security-critical paths.
.github/workflows/security-review.yml
name: Security Review
on:
pull_request:
paths:
- 'src/auth/**'
- 'src/api/**'
- 'src/middleware/**'
jobs:
security:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt: |
Security-focused review. Check for:
- SQL injection, XSS, CSRF vulnerabilities
- Authentication/authorization bypasses
- Secrets or credentials in code
- Insecure deserialization
claude_args: "--max-turns 5"Authentication Options
Four backends. Direct API for most teams. Bedrock or Vertex for enterprise data residency requirements.
| Provider | Secret Required | Best For |
|---|---|---|
| Anthropic Direct | ANTHROPIC_API_KEY | Most teams, fastest setup |
| AWS Bedrock | AWS_ROLE_TO_ASSUME (OIDC) | AWS-native orgs, data residency |
| Google Vertex AI | GCP_WORKLOAD_IDENTITY_PROVIDER + GCP_SERVICE_ACCOUNT | GCP-native orgs, data residency |
| Microsoft Foundry | Azure credentials | Azure-native orgs |
AWS Bedrock Example
Uses OIDC for credential-free authentication. No static AWS keys stored in GitHub.
Bedrock Workflow (Key Section)
steps:
- uses: actions/checkout@v4
- name: Configure AWS Credentials (OIDC)
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
aws-region: us-west-2
- uses: anthropics/claude-code-action@v1
with:
use_bedrock: "true"
claude_args: '--model us.anthropic.claude-sonnet-4-6'Model IDs for Bedrock
Bedrock model IDs include a region prefix. Use us.anthropic.claude-sonnet-4-6 for Sonnet or us.anthropic.claude-opus-4-6 for Opus. The prefix maps to your configured AWS region.
Configuration Reference
| Parameter | Required | Description |
|---|---|---|
| anthropic_api_key | Yes (for direct API) | Your Anthropic API key from console.anthropic.com |
| prompt | No | Instructions for Claude. Omit for interactive @claude mode. |
| claude_args | No | CLI arguments: --max-turns, --model, --mcp-config, --allowed-tools |
| github_token | No | GitHub token for API access. Auto-provided in most cases. |
| trigger_phrase | No | Custom trigger phrase. Default: @claude |
| use_bedrock | No | Set to 'true' for AWS Bedrock authentication |
| use_vertex | No | Set to 'true' for Google Vertex AI authentication |
Common claude_args
CLI Arguments via claude_args
claude_args: |
--max-turns 10 # Limit conversation turns (default: 10)
--model claude-opus-4-6 # Use Opus instead of Sonnet
--mcp-config /path/to/config.json # Load MCP servers
--allowed-tools "Read,Write,Bash" # Restrict tool access
--append-system-prompt "Follow our coding standards"
--debug # Enable debug outputCLAUDE.md: Project-Level Configuration
Add a CLAUDE.md file to your repository root. Claude reads this file on every run, whether triggered locally or via GitHub Actions. Define coding standards, review criteria, architectural decisions, and project-specific rules.
Example CLAUDE.md
# Project Standards
## Code Style
- Use TypeScript strict mode
- Prefer functional components with hooks
- No default exports except for pages
## Review Criteria
- All API endpoints must validate input
- Database queries must use parameterized queries
- Auth checks required on all protected routes
## Architecture
- src/lib/ for shared utilities
- src/components/ for React components
- src/app/api/ for API routesCost Optimization
Two cost vectors: GitHub Actions minutes and Anthropic API tokens. Both scale with usage, but tokens are the larger expense for most teams.
Practical Cost Controls
Cost-Optimized Workflow
jobs:
review:
runs-on: ubuntu-latest
timeout-minutes: 10 # Kill runaway jobs
concurrency:
group: claude-${{ github.ref }}
cancel-in-progress: true # Cancel if new push arrives
steps:
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt: "Review this PR"
claude_args: "--max-turns 5" # Cap iterationsToken Usage by Task Type
A simple PR review typically uses 5,000-15,000 tokens. Feature implementation from an issue description can use 50,000-200,000 tokens depending on codebase size. Set --max-turns to 5 for reviews and 10-15 for implementation tasks.
Production Patterns
Pattern 1: Layered Reviews
Run a fast Sonnet review on every PR, and an Opus deep review only on PRs targeting main or touching critical paths.
Layered Review Strategy
# Fast review on all PRs
name: Quick Review
on:
pull_request:
types: [opened, synchronize]
jobs:
quick-review:
runs-on: ubuntu-latest
steps:
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt: "Quick review: flag obvious bugs, security issues, and style violations"
claude_args: "--max-turns 3"
---
# Deep review on PRs to main
name: Deep Review
on:
pull_request:
types: [opened, synchronize]
branches: [main]
jobs:
deep-review:
runs-on: ubuntu-latest
steps:
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt: |
Thorough review. Check architecture, performance,
security, test coverage, and documentation.
claude_args: "--model claude-opus-4-6 --max-turns 10"Pattern 2: Issue Triage Pipeline
Automatically label and prioritize new issues. Claude reads the issue body, checks the codebase for related code, and applies labels.
Issue Triage
name: Issue Triage
on:
issues:
types: [opened]
jobs:
triage:
runs-on: ubuntu-latest
permissions:
issues: write
contents: read
steps:
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt: |
Analyze this issue. Apply labels from:
bug, feature, docs, performance, security.
Add a priority label: P0 (critical), P1 (high),
P2 (medium), P3 (low).
Post a brief comment summarizing what area
of the codebase this affects.
claude_args: "--max-turns 3"Pattern 3: Documentation Sync
When source code changes, Claude updates the corresponding documentation and opens a follow-up PR.
Documentation Sync
name: Docs Sync
on:
pull_request:
types: [closed]
branches: [main]
paths:
- 'src/**'
jobs:
sync-docs:
if: github.event.pull_request.merged == true
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
steps:
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt: |
The merged PR changed source code.
Update any documentation that references
the changed files. Create a new PR with
the documentation updates.
claude_args: "--max-turns 8"Reducing Token Costs with Morph
Every Claude Code GitHub Actions run includes file edits. Claude generates the full edit, which consumes output tokens. For large files, this gets expensive fast: a 500-line component rewrite at Sonnet rates costs roughly $0.03-0.05 in output tokens alone. Multiply by 50 PRs a day and you are looking at $50-75/month just on edit tokens.
Morph's fast-apply model is purpose-built for code edits. It takes a partial diff and applies it to the full file, producing the same result with 60-80% fewer output tokens. The model runs at 10,500 tokens per second, so edits that take Claude 8-12 seconds complete in under 2 seconds.
For CI pipelines running hundreds of edits per day, routing the apply step through Morph cuts the token bill without changing the code quality. The reasoning stays with Claude, the mechanical edit goes to the fast-apply model.
FAQ
How do I set up Claude Code GitHub Actions?
Fastest method: open Claude Code in your terminal and run /install-github-app. This installs the GitHub app and configures secrets automatically. Manual setup requires three steps: install the Claude GitHub app, add ANTHROPIC_API_KEY as a repository secret, and copy the workflow YAML into .github/workflows/.
What can Claude Code do in GitHub Actions?
Create PRs from issue descriptions. Review code automatically on PR open. Respond to @claude mentions in comments. Triage and label issues. Generate documentation. Run scheduled maintenance. Execute any custom automation prompt. It supports the full Claude Code CLI toolset including MCP servers.
How much does it cost?
Two components: GitHub Actions minutes (consumed on GitHub-hosted runners) and Anthropic API tokens. A simple PR review typically uses 5,000-15,000 tokens. Feature implementation can use 50,000-200,000 tokens. The action defaults to Sonnet. Set --max-turns to limit iterations and control costs.
Does it support AWS Bedrock and Google Vertex?
Yes. Four authentication backends: Anthropic direct API, AWS Bedrock (OIDC), Google Vertex AI (Workload Identity Federation), and Microsoft Foundry. Enterprise teams can route through existing cloud infrastructure for data residency and billing control.
Which model does it use by default?
Claude Sonnet. To switch to Opus 4.6, add claude_args: "--model claude-opus-4-6". For Bedrock, use the region-prefixed model ID: us.anthropic.claude-sonnet-4-6.
Is it secure?
Code runs entirely on your GitHub-hosted runner and never leaves GitHub's infrastructure. API calls go to your configured provider. Store API keys in GitHub Secrets, not in workflow files. The action requires minimal permissions: Contents, Issues, and Pull Requests read/write.
Can I use it with private repositories?
Yes. Full support for private repos. Code stays on GitHub's runners and is not sent to external services beyond your configured API provider.
How do I trigger Claude in a comment?
Mention @claude in any PR or issue comment. Examples: "@claude review this PR for security issues" or "@claude implement the feature described in this issue." Customize the trigger with the trigger_phrase parameter.
Ship faster with Morph in your pipeline
Morph's fast-apply model cuts edit token costs by 60-80% in CI/CD workflows. Same code quality, fewer tokens, faster edits.