Claude Code GitHub Actions v1 Guide

The fastest way to get started is using the official GitHub App installation flow. Navigate to /install-github-app in the Claude Code documentation and click 'Install'. This creates a GitHub App with the minimum required permissions and automatically generates the necessary secrets for your repository. After installation, you'll have two secrets available in your repository: ANTHROPIC_API_KEY for API access and CLAUDE_CODE_GITHUB_APP credentials for GitHub API access. The GitHub App approach is recommended over personal access tokens because it provides fine-grained permissions, audit logging, and organization-level control. For organizations, an admin can install the app at the org level and selectively enable it for specific repositories. This gives you centralized control over which repos can use Claude Code in CI while maintaining per-repo workflow configuration.

The most popular use case is automated PR reviews. When a pull request is opened or updated, Claude Code analyzes the diff, checks for bugs, security issues, and style violations, then posts review comments directly on the PR. The key configuration is the prompt — this is where you define your review standards. Be specific about what to check: security vulnerabilities, performance regressions, missing tests, API contract changes, and coding style. Reference your project's CLAUDE.md for project-specific conventions. Control costs by limiting max_turns (how many tool-call rounds Claude can take) and using allowed_tools to restrict which tools Claude can access. For reviews, Read, Grep, and Glob are usually sufficient — no need for Write or Bash access.

Claude Code can automatically implement features or fix bugs when issues are created or labeled. This is particularly powerful for well-specified issues: create an issue with clear acceptance criteria, add a 'claude-implement' label, and Claude generates a PR with the implementation. The workflow triggers on issue events, reads the issue body for requirements, creates a feature branch, implements the changes, runs tests, and opens a PR linking back to the original issue. This creates a complete audit trail from requirement to implementation. For safety, restrict this to specific labels (e.g., 'claude-implement' or 'good-first-issue'). You don't want Claude attempting every issue automatically. Also set a max_turns limit to prevent runaway sessions on ambiguous issues.

GitHub Actions minutes and Anthropic API costs can add up quickly if not managed. Set max_turns to limit how many tool-call rounds Claude can make — 10 for reviews, 20-30 for implementations. Use timeout_minutes to set a hard ceiling on execution time. Use allowed_tools to restrict capabilities per workflow. Review workflows only need read access (Read, Grep, Glob). Implementation workflows need write access but should still exclude dangerous tools. Never give Bash access in PR review workflows. Monitor costs by checking token usage in the workflow logs. Claude Code Action logs input/output token counts for each run. Set up budget alerts in your Anthropic dashboard and consider using concurrency groups to prevent parallel runs on the same PR. For organizations, use the GitHub App's permission system to control which repositories can trigger Claude Code workflows. Combine with branch protection rules to ensure Claude's PRs still require human approval before merging.