codyswanngt/claude-code-action
.claude/skills/claude-code-action/SKILL.md
Knowledge base for creating and configuring Claude Code Action GitHub workflows
$ install --global
skillsauthnpx skillsauth add codyswanngt/lisa claude-code-actionInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 12, 2026, 3:01 AM6.5s2 files scanned
SKILL.md
- name:
- claude-code-action
- description:
- Knowledge base for creating and configuring Claude Code Action GitHub workflows
Claude Code Action Workflow Guide
Reference guide for creating anthropics/claude-code-action@v1 GitHub workflows.
Authentication
Choose one authentication method:
| Method | Input | Use Case |
|--------|-------|----------|
| OAuth Token | claude_code_oauth_token | Recommended for most setups (requires Claude Pro or Max) |
| API Key | anthropic_api_key | Direct Anthropic API key from console.anthropic.com |
| AWS Bedrock | aws_access_key_id + aws_secret_access_key | AWS-hosted Claude |
| GCP Vertex | gcp_project_id + gcp_region + gcp_workload_identity_provider | Google Cloud Claude |
Getting CLAUDE_CODE_OAUTH_TOKEN
Requires a Claude Pro or Max subscription.
- Run locally:
claude setup-token - Copy the output token
- Add it as a GitHub repository secret:
Paste the token when prompted.gh secret set CLAUDE_CODE_OAUTH_TOKEN
On macOS, Claude Code stores credentials in the encrypted Keychain (not a plain file). The setup-token command is the official way to extract a token for CI use.
Repository Configuration
| Name | Type | Required For | How to Set |
|------|------|-------------|------------|
| CLAUDE_CODE_OAUTH_TOKEN | Secret | All Claude workflows | gh secret set CLAUDE_CODE_OAUTH_TOKEN |
| ENABLE_CLAUDE_NIGHTLY | Variable | Nightly workflows (opt-in) | gh variable set ENABLE_CLAUDE_NIGHTLY --body "true" |
Workflow Patterns
Interactive (PR/Issue mentions)
Triggered when users mention @claude in comments, reviews, or issues.
on:
issue_comment:
types: [created]
pull_request_review_comment:
types: [created]
issues:
types: [opened, assigned]
pull_request_review:
types: [submitted]
CI Auto-Fix (Automation)
Triggered when a CI workflow fails. Automatically fixes the code.
on:
workflow_run:
workflows: ["CI Quality Checks"]
types: [completed]
Guard against infinite loops:
if: |
github.event.workflow_run.conclusion == 'failure' &&
!startsWith(github.event.workflow_run.head_branch, 'claude-auto-fix-') &&
github.event.workflow_run.head_branch != 'main' &&
github.event.workflow_run.head_branch != 'staging' &&
github.event.workflow_run.head_branch != 'dev'
Nightly/Scheduled
Runs on a cron schedule for maintenance tasks (test improvement, coverage).
on:
schedule:
- cron: '0 3 * * 1-5' # 3 AM UTC weekdays
workflow_dispatch:
Use opt-in guard:
if: vars.ENABLE_CLAUDE_NIGHTLY == 'true'
Standard Permissions Block
permissions:
contents: write
pull-requests: write
issues: write
actions: read
id-token: write
Tool Allowlisting
Standard allowedTools for Lisa projects:
Edit,MultiEdit,Write,Read,Glob,Grep,Bash(git:*),Bash(npm:*),Bash(npx:*),Bash(bun:*),Bash(yarn:*),Bash(pnpm:*),Bash(gh:*)
This covers:
- File operations: Edit, MultiEdit, Write, Read, Glob, Grep
- Git:
Bash(git:*)-- commit, push, branch, etc. - Package managers: npm, npx, bun, yarn, pnpm
- GitHub CLI:
Bash(gh:*)-- create PRs, issues, etc.
Key Inputs
| Input | Required | Description |
|-------|----------|-------------|
| prompt | No | Task instructions for Claude |
| claude_code_oauth_token | Yes* | OAuth token for authentication |
| claude_args | No | CLI args: --allowedTools, --max-turns, --system-prompt, --mcp-config |
| branch_prefix | No | Prefix for auto-created branches (e.g., claude/nightly-) |
| additional_permissions | No | Extra GitHub permissions (e.g., actions: read) |
| max_turns | No | Max agentic turns (via claude_args --max-turns) |
| track_progress | No | Enable progress tracking comments |
| allowed_bots | No | Comma-separated bot names allowed to trigger |
| allowed_non_write_users | No | Users without write access who can trigger |
MCP Configuration
Pass MCP server config via claude_args:
claude_args: |
--mcp-config .mcp.json
Pass secrets to MCP servers via environment variables in the workflow.
Patterns
Duplicate PR Prevention
Before running nightly workflows, check for existing open PRs:
- name: Check for existing PR
id: check-pr
uses: actions/github-script@v7
with:
script: |
const pulls = await github.rest.pulls.list({
owner: context.repo.owner,
repo: context.repo.repo,
state: 'open',
per_page: 100,
});
const existing = pulls.data.find(pr =>
pr.head.ref.startsWith('claude/nightly-') &&
pr.title.toLowerCase().includes('your-keyword')
);
core.setOutput('has_existing_pr', existing ? 'true' : 'false');
- name: Run Claude
if: steps.check-pr.outputs.has_existing_pr != 'true'
uses: anthropics/claude-code-action@v1
Cost Control
Use --max-turns to limit API usage:
claude_args: |
--max-turns 25
Recommended limits:
- Interactive (PR/issue): No limit (user-driven)
- CI auto-fix: 25 turns
- Nightly workflows: 40 turns
Security
- Never hardcode secrets in workflow files
- Use
${{ secrets.* }}for all sensitive values - Sanitize dynamic content in prompts to prevent injection
- Use
allowed_botsto control which bots can trigger Claude
Related Skills
codyswanngt/lisa-wiki-onboard-me
documentation
VerifiedTrustedCommunity
Onboard a user to the project via its LLM Wiki. Interviews the user about themselves in relation to the project, captures that to project-scoped memory only, then gives a guided tour of what the project is and sample questions they can ask. Use when someone is new to the project or asks to be onboarded. Read-mostly — it does not open PRs or write PII into the wiki.
1SKILL.mdUpdated Jun 5, 2026
codyswanngt/lisa-wiki-migrate
documentation
VerifiedTrustedCommunity
Migrate an existing, hand-rolled wiki implementation onto the lisa-wiki kernel — phased and compatibility-first, with a strict no-loss guarantee. Use when adopting lisa-wiki in a repo that already has its own wiki/, ingest skills, docs, or roles. Renaming things into the canonical shape is fine; losing functionality or data is not. Ends by running /doctor.
1SKILL.mdUpdated Jun 5, 2026
codyswanngt/lisa-wiki-lint
development
VerifiedTrustedCommunity
Health-check the LLM Wiki. Reports orphan pages, contradictions, stale claims, broken internal links, missing index/log coverage, structure-manifest violations, and secret/tenant leaks. Use periodically or before hardening a wiki. Read-only — it reports findings, it does not fix them.
1SKILL.mdUpdated Jun 5, 2026
codyswanngt/lisa-wiki-ingest
testing
VerifiedTrustedCommunity
Ingest source material into the LLM Wiki. With an argument (URL, file path, or prompt) it ingests that one source; with no argument it runs a full ingest across every enabled non-external-write source. Routes to the right connector, then runs the ordered pipeline (source note → synthesis → index → log → verify → state → commit/PR). Use whenever new knowledge should enter the wiki.
1SKILL.mdUpdated Jun 5, 2026