Claude Code Mastery Part 8: Production Workflows

claude
/install-github-app

name: Claude Code Assistant

on:
  issue_comment:
    types: [created]
  pull_request:
    types: [opened, synchronize]
  issues:
    types: [opened, labeled]

permissions:
  contents: read
  pull-requests: write
  issues: write

jobs:
  claude:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: anthropics/claude-code-action@v1
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}

@claude implement this feature following our auth patterns

@claude investigate why users are seeing timeout errors in the checkout flow

@claude review this PR for security issues

@claude explain why this approach was chosen over using a state machine

@claude can you refactor this to use async/await instead of callbacks?

@claude add tests for the edge cases you identified

on:
  issue_comment:
    types: [created]

on:
  pull_request:
    types: [opened, synchronize]

- uses: anthropics/claude-code-action@v1
  with:
    anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
    prompt: "Review this PR for security vulnerabilities, performance issues, and adherence to our coding standards"

on:
  issues:
    types: [opened, labeled]

on:
  schedule:
    - cron: '0 9 * * 1'  # Every Monday at 9 AM

jobs:
  automated-checks:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npm ci
      - run: npm run lint
      - run: npm run typecheck
      - run: npm run test

  ai-review:
    needs: automated-checks
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: anthropics/claude-code-action@v1
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          prompt: |
            Review this PR for:
            1. Logic errors the linter wouldn't catch
            2. Architecture and design concerns
            3. Performance implications
            4. Missing edge cases

            Automated checks already passed. Focus on higher-level review.

1. Requirements Phase
   └── Create detailed issue with acceptance criteria
   └── @claude to create implementation plan
   └── Review and refine plan

2. Implementation Phase
   └── Approve plan → Claude creates PR
   └── Automated tests run
   └── Human review

3. Merge Phase
   └── Final approval
   └── Merge and deploy

## Feature: User Export

### Requirements
- Export user data as CSV or JSON
- Include: name, email, signup date, last login
- Admins only
- Max 10,000 records per export

### Acceptance Criteria
- [ ] Export button on admin dashboard
- [ ] Format selection (CSV/JSON)
- [ ] Progress indicator for large exports
- [ ] Download link sent via email for exports > 1000 records

@claude implement this following our existing export patterns in src/exports/

## Bug: Checkout fails for international addresses

### Reproduction
1. Add item to cart
2. Enter shipping address with non-US country
3. Click "Continue to Payment"
4. Error: "Invalid address format"

### Expected
Checkout should accept international addresses

@claude investigate and fix this bug

jobs:
  security-review:
    if: contains(github.event.pull_request.changed_files, 'auth/') ||
        contains(github.event.pull_request.changed_files, 'payments/')
    runs-on: ubuntu-latest
    steps:
      - uses: anthropics/claude-code-action@v1
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          prompt: |
            CRITICAL SECURITY REVIEW

            This PR modifies authentication or payment code.
            Perform a thorough security audit:
            - Check for injection vulnerabilities
            - Verify authentication/authorization
            - Look for data exposure risks
            - Validate input sanitization

            Flag any concerns for human review before merge.

# Team Project Standards

## @claude Triggers
When responding to GitHub mentions:
- `@claude review` - Full code review with security focus
- `@claude implement` - Create PR from issue description
- `@claude fix` - Investigate and patch bugs
- `@claude explain` - Explain code or architecture decisions
- `@claude triage` - Analyze and label new issues

## PR Requirements
- All PRs require passing tests before Claude review
- Security-critical changes require human approval
- Database migrations require team lead review

## Coding Conventions
[Your existing coding standards...]

## Restricted Areas
Do not automatically modify:
- config/production.json - Requires manual review
- database/migrations/ - Requires team lead approval
- src/auth/ - Security-critical, flag for review
- src/payments/ - PCI compliance, flag for review

permissions:
  contents: read        # Can read files
  pull-requests: write  # Can comment on PRs
  issues: write         # Can comment on issues
  # Note: Cannot merge PRs without additional config

- uses: anthropics/claude-code-action@v1
  with:
    anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}

- uses: anthropics/claude-code-action@v1
  with:
    provider: bedrock
    aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
    aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    aws_region: us-east-1

- uses: anthropics/claude-code-action@v1
  with:
    provider: vertex
    gcp_project_id: ${{ secrets.GCP_PROJECT_ID }}
    gcp_region: us-central1

- uses: anthropics/claude-code-action@v1
  with:
    anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
    max_tokens: 4096

on:
  pull_request:
    types: [opened]  # Only on open, not on every push
    paths:
      - 'src/**'     # Only when source files change
      - '!**.md'     # Ignore documentation changes

on:
  pull_request:
    types: [labeled]

jobs:
  claude-review:
    if: github.event.label.name == 'needs-ai-review'

# Vague (worse results)
@claude review this

# Specific (better results)
@claude review this PR for SQL injection vulnerabilities
in the new user search endpoint, focusing on the query
construction in src/api/users.ts

@claude implement this feature

This should follow the same patterns as our existing
export functionality in src/exports/. Use the ExportJob
queue for async processing like we do for report generation.

@claude that's close, but we need to handle the case
where the user has no email address. Can you add a
fallback to use their username instead?

## Team @claude Commands Reference

- `@claude review` — Full code review — Use on all PRs
- `@claude security` — Security-focused review — Use on auth/payment changes
- `@claude implement` — Create implementation — Use on feature issues
- `@claude fix` — Investigate and patch — Use on bug issues
- `@claude explain` — Explain code/decisions — Use for onboarding, complex PRs

## In CLAUDE.md

When reviewing or implementing changes that touch:
- src/auth/
- src/payments/
- config/production.json
- database/migrations/

DO NOT make changes directly. Instead:
1. Flag the file as security-critical
2. Describe what changes would be needed
3. Request human review before any modifications

# Install GitHub integration
/install-github-app

# Workflow file location
.github/workflows/claude.yml

@claude review              # Code review
@claude review security     # Security-focused review
@claude implement          # Create PR from issue
@claude fix                # Investigate and patch bug
@claude explain            # Explain code/decisions
@claude add tests          # Add test coverage
@claude refactor           # Improve code quality

on:
  issue_comment:           # @claude mentions
  pull_request:           # Automatic PR review
  issues:                 # Issue triage
  schedule:               # Scheduled maintenance

anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt: "Your instructions here"
max_tokens: 4096