CI/CD with Claude Code
How Anthropic's three GitHub Actions let coding agents review PRs, triage issues, run security audits, and execute arbitrary automation inside CI/CD pipelines.
| Actions | anthropics/claude-code-action, anthropics/claude-code-base-action, anthropics/claude-code-security-review |
| Runtime | TypeScript on Bun, Claude Agent SDK |
| Providers | Anthropic API, Bedrock, Vertex AI, Foundry |
| Trigger surface | Issues, PRs, comments, reviews, workflow_dispatch, schedule, workflow_run |
| License | MIT |
The three-action architecture
Anthropic ships three GitHub Actions for running Claude Code in CI/CD. Each addresses a different trust boundary and use case.
claude-code-action is the high-level, batteries-included action. It responds to @claude mentions on issues and pull requests, handles actor permission checks, restores trusted configuration from the base branch in PR contexts, and manages the full lifecycle — branch creation, code changes, progress tracking, and cleanup. It is the action to use when processing untrusted input from issues or external PRs.
claude-code-base-action is the programmable engine underneath. It is a thin wrapper that installs Claude Code and runs it with a prompt. No permission checks, no configuration restoration, no security boundaries. Use it for scheduled automation, workflow_dispatch triggers, and any scenario where the prompt and working directory are already trusted.
claude-code-security-review is a specialized security scanner. It takes a PR diff, runs a deep semantic analysis with Claude Code, filters false positives through a two-stage pipeline, and posts inline review comments on the affected lines. It is available both as a GitHub Action and as the /security-review slash command inside Claude Code.
claude-code-action: mention-driven automation
The primary entry point for most teams is tagging @claude on an issue or PR comment. The action detects the mention, gathers full context via GitHub’s GraphQL API, and dispatches Claude Code to implement changes, answer questions, or triage the issue.
It operates in two modes. Tag mode activates on @claude mentions, issue assignments, or label triggers. It creates a tracking comment with live progress checkboxes, fetches the full conversation and code diff, and opens a branch for changes. Claude’s tool access is scoped — it can read files, search the repo, and edit code, but WebSearch and WebFetch are disabled by default. The --permission-mode acceptEdits setting auto-approves edits inside $GITHUB_WORKSPACE and denies anything outside it.
Agent mode activates when an explicit prompt input is provided. No tracking comment, no mention needed — Claude executes the prompt directly against the repository. This mode supports PR review with inline comments, scheduled tasks, and workflow_dispatch automation.
Security boundaries in tag mode are substantive. The action uses the original body and title from the webhook payload and filters comments to those posted before the trigger timestamp, preventing TOCTOU attacks where an attacker edits content after the action fires. On pull requests, .claude/ and .mcp.json from the checkout are discarded and restored from the base branch, since those files are attacker-controlled in PR contexts.
name: Claude Code PR Review
on:
issue_comment:
types: [created]
permissions:
contents: write
pull-requests: write
issues: write
id-token: write
jobs:
claude:
if: contains(github.event.comment.body, '@claude')
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} The action emits several outputs for downstream steps: branch_name, session_id, execution_file, structured_output, and github_token. The session ID enables resuming conversations across workflow runs with --resume.
claude-code-base-action: programmable workflows
When the @claude pattern is too much framework, the base action gives direct access to Claude Code with a single prompt. It validates authentication, writes settings, installs plugins, and invokes the Claude Agent SDK — nothing more.
This makes it well-suited for scheduled jobs and custom automation where the trigger is a cron schedule or an upstream workflow_run, not a user comment. An issue triage workflow can use the GitHub MCP server to let Claude search for duplicates, apply labels, and close resolved issues without posting a tracking comment.
name: Nightly Issue Triage
on:
schedule:
- cron: '37 3 * * *'
permissions:
contents: read
issues: write
jobs:
triage:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: anthropics/claude-code-base-action@beta
with:
prompt: |
Review open issues labeled "triage".
For each: check if a duplicate exists, suggest the right label,
and close any that are resolved by recent commits.
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
claude_args: >
--mcp-config '{"mcpServers":{"github":{"command":"docker",
"args":["run","-i","--rm","-e","GITHUB_PERSONAL_ACCESS_TOKEN",
"ghcr.io/github/github-mcp-server"]}}}'
--max-turns 15 The base action also supports prompt files (prompt_file), structured output via --json-schema, plugin installation at runtime, and custom model selection through --model and --fallback-model flags. All cloud providers (Bedrock, Vertex, Foundry) are available through OIDC authentication, removing the need for long-lived API keys in secrets.
claude-code-security-review: semantic security analysis
Traditional SAST tools match patterns. They flag innerHTML in JavaScript, subprocess.call in Python, or string concatenation in SQL — and produce noise that teams learn to ignore.
The security review action uses Claude Code to reason about exploitability. It reads the full repository context, traces data flow across files, and understands framework-level protections. React’s built-in XSS escaping, Prisma’s parameterized queries, AWS Cognito’s token validation — these are invisible to pattern matchers but legible to a model that has read the framework source.
The action follows a structured pipeline: fetch the PR diff from the GitHub API, build a security audit prompt, invoke Claude Code with full repository access, parse the structured JSON response, filter findings through a two-stage pipeline (regex-based hard exclusion rules followed by optional Claude API-based secondary judgment with confidence scoring), and post surviving findings as inline review comments.
name: Security Review
on:
pull_request:
permissions:
contents: read
pull-requests: write
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 2
- uses: anthropics/claude-code-security-review@main
with:
claude-api-key: ${{ secrets.CLAUDE_API_KEY }} The fetch-depth: 2 is load-bearing. It ensures the diff covers only the PR’s changes, not the entire commit history.
Each finding includes file path, line number, severity (HIGH/MEDIUM/LOW), category, exploit scenario, and remediation guidance. Findings are deduplicated across pushes to the same PR via caching, and a reservation marker prevents race conditions when multiple workflow runs fire concurrently.
When to use which
| Scenario | Action |
|---|---|
Respond to @claude on issues and PRs | claude-code-action |
| PR review with inline comments | claude-code-action (agent mode) |
| Scheduled automation, cron jobs | claude-code-base-action |
| Custom workflow with specific tool restrictions | claude-code-base-action |
| Security audit on every PR | claude-code-security-review |
| One-off security analysis (no CI) | /security-review slash command |
Takeaways
Three actions, three trust levels
claude-code-action handles untrusted issue/PR input with security boundaries. claude-code-base-action is the unopinionated engine for trusted automation. claude-code-security-review is a specialized semantic security scanner.
Mention-driven automation lowers the barrier
Tagging @claude on an issue or PR triggers a full agent session with context gathering, code changes, and progress tracking — no custom workflow wiring needed.
Semantic review catches what pattern matchers miss
The security review action reasons about code intent and data flow, not just syntax patterns. Two-stage false-positive filtering keeps the signal clean.
Multi-cloud provider support is built in
All three actions support Anthropic API, AWS Bedrock, Google Vertex AI, and Microsoft Foundry, with OIDC-based authentication for cloud providers.