Summary
Running /install-github-app generates two workflows — .github/workflows/claude.yml and .github/workflows/claude-code-review.yml — that are functionally no-ops out of the box due to two independent defects. The review workflow runs on every PR, consumes a full agent run, and posts nothing; users only discover this by opening the Actions logs.
Generated with Claude Code CLI 2.1.162, using anthropics/claude-code-action@v1.
Defect 1 — review prompt is missing --comment, so nothing is ever posted
The generated claude-code-review.yml invokes:
prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'But the code-review plugin command (from the anthropics/claude-code.git marketplace) gates all PR commenting behind a --comment argument. Its step 7 reads verbatim:
If --comment argument was NOT provided, stop here. Do not post any GitHub comments.
So as generated, the workflow reviews each PR and then stops at the terminal summary — no inline comments, no summary comment. The integration silently appears to do nothing.
Fix: the generated prompt should include --comment:
prompt: '/code-review:code-review --comment ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'Defect 2 — generated job permissions are read-only, diverging from the documented examples
Both generated workflows scope the job token read-only:
# claude-code-review.yml (generated)
permissions:
contents: read
pull-requests: read
issues: read
id-token: write
# claude.yml (generated)
permissions:
contents: read
pull-requests: read
issues: read
id-token: write
actions: read
This diverges from the repo's own examples, which use write scopes:
Nuance / open question: when the official Claude GitHub App is installed (which /install-github-app does), docs/security.md indicates GitHub writes go through the app installation token (Contents/PRs/Issues Read & Write), and action.yml's output is documented as the "Claude App token if available". If that token is what posts comments, the read-only workflow permissions: block may not actually block posting — in which case the generated read-only scopes are merely inconsistent with the examples rather than strictly broken. It would help to clarify in the docs which token is used for comment-posting, and to make the generated templates consistent with whichever is correct.
Repro
- In any repo, run
/install-github-app and complete the OAuth flow.
- Inspect the two generated workflow files on the PR it opens.
- Observe: review prompt lacks
--comment; both permissions: blocks are read-only.
- Merge and open a test PR → the
Claude Code Review job runs green but posts no review.
Suggested fix
The /install-github-app generator should emit:
--comment in the claude-code-review.yml review prompt, and- write scopes matching the documented examples (
pull-requests: write for the review workflow; contents/pull-requests/issues: write for claude.yml).
Happy to send a PR if useful.
Summary
Running
/install-github-appgenerates two workflows —.github/workflows/claude.ymland.github/workflows/claude-code-review.yml— that are functionally no-ops out of the box due to two independent defects. The review workflow runs on every PR, consumes a full agent run, and posts nothing; users only discover this by opening the Actions logs.Generated with Claude Code CLI
2.1.162, usinganthropics/claude-code-action@v1.Defect 1 — review prompt is missing
--comment, so nothing is ever postedThe generated
claude-code-review.ymlinvokes:But the
code-reviewplugin command (from theanthropics/claude-code.gitmarketplace) gates all PR commenting behind a--commentargument. Its step 7 reads verbatim:So as generated, the workflow reviews each PR and then stops at the terminal summary — no inline comments, no summary comment. The integration silently appears to do nothing.
Fix: the generated prompt should include
--comment:Defect 2 — generated job permissions are read-only, diverging from the documented examples
Both generated workflows scope the job token read-only:
This diverges from the repo's own examples, which use write scopes:
examples/claude.yml→contents: write,pull-requests: write,issues: writeexamples/pr-review-comprehensive.yml→pull-requests: writeNuance / open question: when the official Claude GitHub App is installed (which
/install-github-appdoes),docs/security.mdindicates GitHub writes go through the app installation token (Contents/PRs/Issues Read & Write), andaction.yml's output is documented as the "Claude App token if available". If that token is what posts comments, the read-only workflowpermissions:block may not actually block posting — in which case the generated read-only scopes are merely inconsistent with the examples rather than strictly broken. It would help to clarify in the docs which token is used for comment-posting, and to make the generated templates consistent with whichever is correct.Repro
/install-github-appand complete the OAuth flow.--comment; bothpermissions:blocks are read-only.Claude Code Reviewjob runs green but posts no review.Suggested fix
The
/install-github-appgenerator should emit:--commentin theclaude-code-review.ymlreview prompt, andpull-requests: writefor the review workflow;contents/pull-requests/issues: writeforclaude.yml).Happy to send a PR if useful.