All articles
agentic systems ·

CI/CD with Claude Code

How Anthropic's three GitHub Actions let coding agents review PRs, triage issues, run security audits, and execute arbitrary automation inside CI/CD pipelines.

agentsautomationci-cdclaude-codegithub-actionssecurityworkflows
At a glance
Actionsanthropics/claude-code-action, anthropics/claude-code-base-action, anthropics/claude-code-security-review
RuntimeTypeScript on Bun, Claude Agent SDK
ProvidersAnthropic API, Bedrock, Vertex AI, Foundry
Trigger surfaceIssues, PRs, comments, reviews, workflow_dispatch, schedule, workflow_run
LicenseMIT

The three-action architecture

Anthropic ships three GitHub Actions for running Claude Code in CI/CD. Each addresses a different trust boundary and use case.

claude-code-action is the high-level, batteries-included action. It responds to @claude mentions on issues and pull requests, handles actor permission checks, restores trusted configuration from the base branch in PR contexts, and manages the full lifecycle — branch creation, code changes, progress tracking, and cleanup. It is the action to use when processing untrusted input from issues or external PRs.

claude-code-base-action is the programmable engine underneath. It is a thin wrapper that installs Claude Code and runs it with a prompt. No permission checks, no configuration restoration, no security boundaries. Use it for scheduled automation, workflow_dispatch triggers, and any scenario where the prompt and working directory are already trusted.

claude-code-security-review is a specialized security scanner. It takes a PR diff, runs a deep semantic analysis with Claude Code, filters false positives through a two-stage pipeline, and posts inline review comments on the affected lines. It is available both as a GitHub Action and as the /security-review slash command inside Claude Code.

Loading diagram…

claude-code-action: mention-driven automation

The primary entry point for most teams is tagging @claude on an issue or PR comment. The action detects the mention, gathers full context via GitHub’s GraphQL API, and dispatches Claude Code to implement changes, answer questions, or triage the issue.

It operates in two modes. Tag mode activates on @claude mentions, issue assignments, or label triggers. It creates a tracking comment with live progress checkboxes, fetches the full conversation and code diff, and opens a branch for changes. Claude’s tool access is scoped — it can read files, search the repo, and edit code, but WebSearch and WebFetch are disabled by default. The --permission-mode acceptEdits setting auto-approves edits inside $GITHUB_WORKSPACE and denies anything outside it.

Agent mode activates when an explicit prompt input is provided. No tracking comment, no mention needed — Claude executes the prompt directly against the repository. This mode supports PR review with inline comments, scheduled tasks, and workflow_dispatch automation.

Security boundaries in tag mode are substantive. The action uses the original body and title from the webhook payload and filters comments to those posted before the trigger timestamp, preventing TOCTOU attacks where an attacker edits content after the action fires. On pull requests, .claude/ and .mcp.json from the checkout are discarded and restored from the base branch, since those files are attacker-controlled in PR contexts.

Loading diagram…
claude-code-pr-review.yml yaml
name: Claude Code PR Review
on:
  issue_comment:
    types: [created]
permissions:
  contents: write
  pull-requests: write
  issues: write
  id-token: write
jobs:
  claude:
    if: contains(github.event.comment.body, '@claude')
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - uses: anthropics/claude-code-action@v1
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}

The action emits several outputs for downstream steps: branch_name, session_id, execution_file, structured_output, and github_token. The session ID enables resuming conversations across workflow runs with --resume.

claude-code-base-action: programmable workflows

When the @claude pattern is too much framework, the base action gives direct access to Claude Code with a single prompt. It validates authentication, writes settings, installs plugins, and invokes the Claude Agent SDK — nothing more.

This makes it well-suited for scheduled jobs and custom automation where the trigger is a cron schedule or an upstream workflow_run, not a user comment. An issue triage workflow can use the GitHub MCP server to let Claude search for duplicates, apply labels, and close resolved issues without posting a tracking comment.

scheduled-triage.yml yaml
name: Nightly Issue Triage
on:
  schedule:
    - cron: '37 3 * * *'
permissions:
  contents: read
  issues: write
jobs:
  triage:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - uses: anthropics/claude-code-base-action@beta
        with:
          prompt: |
            Review open issues labeled "triage".
            For each: check if a duplicate exists, suggest the right label,
            and close any that are resolved by recent commits.
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          claude_args: >
            --mcp-config '{"mcpServers":{"github":{"command":"docker",
            "args":["run","-i","--rm","-e","GITHUB_PERSONAL_ACCESS_TOKEN",
            "ghcr.io/github/github-mcp-server"]}}}'
            --max-turns 15

The base action also supports prompt files (prompt_file), structured output via --json-schema, plugin installation at runtime, and custom model selection through --model and --fallback-model flags. All cloud providers (Bedrock, Vertex, Foundry) are available through OIDC authentication, removing the need for long-lived API keys in secrets.

claude-code-security-review: semantic security analysis

Traditional SAST tools match patterns. They flag innerHTML in JavaScript, subprocess.call in Python, or string concatenation in SQL — and produce noise that teams learn to ignore.

The security review action uses Claude Code to reason about exploitability. It reads the full repository context, traces data flow across files, and understands framework-level protections. React’s built-in XSS escaping, Prisma’s parameterized queries, AWS Cognito’s token validation — these are invisible to pattern matchers but legible to a model that has read the framework source.

The action follows a structured pipeline: fetch the PR diff from the GitHub API, build a security audit prompt, invoke Claude Code with full repository access, parse the structured JSON response, filter findings through a two-stage pipeline (regex-based hard exclusion rules followed by optional Claude API-based secondary judgment with confidence scoring), and post surviving findings as inline review comments.

security-review.yml yaml
name: Security Review
on:
  pull_request:
permissions:
  contents: read
  pull-requests: write
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 2
      - uses: anthropics/claude-code-security-review@main
        with:
          claude-api-key: ${{ secrets.CLAUDE_API_KEY }}

The fetch-depth: 2 is load-bearing. It ensures the diff covers only the PR’s changes, not the entire commit history.

Each finding includes file path, line number, severity (HIGH/MEDIUM/LOW), category, exploit scenario, and remediation guidance. Findings are deduplicated across pushes to the same PR via caching, and a reservation marker prevents race conditions when multiple workflow runs fire concurrently.

When to use which

ScenarioAction
Respond to @claude on issues and PRsclaude-code-action
PR review with inline commentsclaude-code-action (agent mode)
Scheduled automation, cron jobsclaude-code-base-action
Custom workflow with specific tool restrictionsclaude-code-base-action
Security audit on every PRclaude-code-security-review
One-off security analysis (no CI)/security-review slash command

Takeaways

Three actions, three trust levels

claude-code-action handles untrusted issue/PR input with security boundaries. claude-code-base-action is the unopinionated engine for trusted automation. claude-code-security-review is a specialized semantic security scanner.

Mention-driven automation lowers the barrier

Tagging @claude on an issue or PR triggers a full agent session with context gathering, code changes, and progress tracking — no custom workflow wiring needed.

Semantic review catches what pattern matchers miss

The security review action reasons about code intent and data flow, not just syntax patterns. Two-stage false-positive filtering keeps the signal clean.

Multi-cloud provider support is built in

All three actions support Anthropic API, AWS Bedrock, Google Vertex AI, and Microsoft Foundry, with OIDC-based authentication for cloud providers.