Add Claude Code GitHub Workflow

[shuiRong]

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

[github-actions]

license-eye has totally checked 478 files.

Valid	Invalid	Ignored	Fixed
389	11	78	0

Click to see the invalid file list

• .github/workflows/claude-code-review.yml
• .github/workflows/claude.yml
• protocol/init.py
• protocol/browser/init.py
• protocol/common/init.py
• protocol/event/init.py
• protocol/language_agent/init.py
• protocol/logging/init.py
• protocol/management/init.py
• protocol/profile/init.py
• protocol/service_mesh_probe/init.py

[github-actions]

Suggested change

	name: Claude Code Review
	# Licensed to the Apache Software Foundation (ASF) under one
	# or more contributor license agreements. See the NOTICE file
	# distributed with this work for additional information
	# regarding copyright ownership. The ASF licenses this file
	# to you under the Apache License, Version 2.0 (the
	# "License"); you may not use this file except in compliance
	# with the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing,
	# software distributed under the License is distributed on an
	# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	# KIND, either express or implied. See the License for the
	# specific language governing permissions and limitations
	# under the License.
	name: Claude Code Review

[github-actions]

Suggested change

	name: Claude Code
	# Licensed to the Apache Software Foundation (ASF) under one
	# or more contributor license agreements. See the NOTICE file
	# distributed with this work for additional information
	# regarding copyright ownership. The ASF licenses this file
	# to you under the Apache License, Version 2.0 (the
	# "License"); you may not use this file except in compliance
	# with the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing,
	# software distributed under the License is distributed on an
	# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	# KIND, either express or implied. See the License for the
	# specific language governing permissions and limitations
	# under the License.
	name: Claude Code

[claude]

Code Review: Add Claude Code GitHub Workflow

Thank you for contributing this PR! I've reviewed the proposed Claude Code integration and have the following feedback:

✅ Positive Aspects

1. Clear Documentation: The PR description is excellent - it clearly explains what Claude Code is, how it works, and what the security implications are.

2. Good Security Practices:

   • Properly uses GitHub secrets for the Anthropic API key
   • Correctly restricts workflow triggers to authorized users
   • Limited tool permissions (read-only by default)
   • Transparent audit trail via GitHub Actions history

3. Two-Workflow Approach: Smart separation between automated code review (claude-code-review.yml) and on-demand assistance (claude.yml).

⚠️ Issues and Concerns

1. Missing Apache License Headers (Critical)

Both workflow files are missing the Apache Software Foundation license headers that are present in all other workflow files (see .github/workflows/CI.yaml:1-15). This is a blocking issue as:

• The existing CI.yaml includes a 15-line Apache License 2.0 header
• The license-and-lint job in CI explicitly checks for license headers using apache/skywalking-eyes/header
• This PR will likely fail the license check in CI

Required Fix: Add the standard Apache license header to both files:

# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

name: Claude Code
# ... rest of the file

2. Inconsistent Action Versions

• Your workflows use actions/checkout@v4
• Existing workflows use actions/checkout@v3 (see CI.yaml:39, CI.yaml:76, etc.)

Recommendation: Use @v3 for consistency with the existing codebase, or update all workflows to v4 in a separate PR.

3. Potential Resource Usage on Public Forks

The claude-code-review.yml workflow runs on ALL pull requests (types: [opened, synchronize]) without repository restrictions. This could:

• Consume API credits on forked repositories if they set up their own API key
• Run unnecessary CI jobs

Recommendation: Add a repository check similar to existing workflows:

jobs:
  claude-review:
    # Only run in the main repository, not forks
    if: github.repository == 'apache/skywalking-python'
    runs-on: ubuntu-latest
    # ... rest of job

Or add it as a commented example in the conditional that's already there.

4. Missing CHANGELOG Update

According to .github/PULL_REQUEST_TEMPLATE:42, all PRs should update the CHANGELOG.md file. This PR adds new functionality but doesn't document it in the changelog.

5. Auto-Review Timing Consideration

The claude-code-review.yml workflow triggers on opened and synchronize, meaning Claude will review every push to a PR. This could:

• Generate noise for work-in-progress PRs
• Consume unnecessary API credits
• Spam PR comments

Recommendation: Consider these alternatives:

1. Add a path filter (as shown in the commented section) to only review specific files
2. Add a label-based trigger (only run when a specific label is added)
3. Only trigger on ready_for_review event instead of opened
4. Document this behavior clearly so maintainers know what to expect

6. Permissions Inconsistency

• claude-code-review.yml includes id-token: write permission
• claude.yml includes id-token: write AND actions: read permissions

The additional_permissions in claude.yml:40-41 appears to duplicate the actions: read already granted in the permissions block (claude.yml:26). This is confusing.

Recommendation: Clarify if additional_permissions is needed or if it's redundant.

📝 Minor Suggestions

1. Consistency with Existing CI Patterns: The existing CI.yaml uses concurrency groups to cancel in-progress runs. Consider if Claude workflows should have similar behavior.

2. Timeout Configuration: Consider adding timeout-minutes to prevent runaway Claude jobs from consuming resources (existing jobs use 10-60 minute timeouts).

3. Commented Code: Both files have extensive commented sections. While helpful for documentation, consider if some should be removed for a cleaner production workflow.

🔒 Security Assessment

Overall security posture is good:

• ✅ API keys properly stored as secrets
• ✅ Read-only defaults with explicit tool allowlists
• ✅ Limited to write-access users
• ✅ Full audit trail in GitHub Actions
• ⚠️ Consider adding branch protection rules to prevent Claude from directly pushing to master

📊 Test Coverage

Issue: No tests are provided for these workflows. While GitHub Actions workflows are hard to test, consider:

• Adding a test PR or issue to validate the workflow before merging
• Documenting the validation process in the PR

Summary

This is a useful addition to the repository, but cannot be merged without adding the Apache license headers. Additionally, the missing CHANGELOG update and potential fork/resource usage issues should be addressed.

Required Changes:

1. ✅ Add Apache License headers to both workflow files
2. ✅ Update CHANGELOG.md

Recommended Changes:

1. Add repository check to prevent fork execution
2. Use consistent action versions (@v3)
3. Consider auto-review timing and frequency
4. Clarify permissions configuration
5. Add timeout limits

Please let me know if you'd like help implementing any of these changes!