🚵 [claude] Add Claude Code GitHub Workflow (#5)

* "Claude PR Assistant workflow"
* "Claude Code Review workflow"
* better security
* adopt Claude with /init

Author: chicks-net

.claude/settings.local.json

@@ -0,0 +1,9 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(hugo:*)"
+    ],
+    "deny": [],
+    "ask": []
+  }
+}

.github/workflows/claude-code-review.yml

@@ -0,0 +1,60 @@
+name: Claude Code Review
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+    # Optional: Only run on specific file changes
+    # paths:
+    #   - "src/**/*.ts"
+    #   - "src/**/*.tsx"
+    #   - "src/**/*.js"
+    #   - "src/**/*.jsx"
+
+# global permissions
+permissions: {}
+
+jobs:
+  claude-review:
+    # Optional: Filter by PR author
+    # if: |
+    #   github.event.pull_request.user.login == 'external-contributor' ||
+    #   github.event.pull_request.user.login == 'new-developer' ||
+    #   github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
+    
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      issues: read
+      id-token: write
+    
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude Code Review
+        id: claude-review
+        uses: anthropics/claude-code-action@v1
+        with:
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          prompt: |
+            REPO: ${{ github.repository }}
+            PR NUMBER: ${{ github.event.pull_request.number }}
+
+            Please review this pull request and provide feedback on:
+            - Code quality and best practices
+            - Potential bugs or issues
+            - Performance considerations
+            - Security concerns
+            - Test coverage
+            
+            Use the repository's CLAUDE.md for guidance on style and conventions. Be constructive and helpful in your feedback.
+
+            Use `gh pr comment` with your Bash tool to leave your review as a comment on the PR.
+          
+          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
+          # or https://docs.claude.com/en/docs/claude-code/sdk#command-line for available options
+          claude_args: '--allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"'
+

.github/workflows/claude.yml

@@ -0,0 +1,53 @@
+name: Claude Code
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+  issues:
+    types: [opened, assigned]
+  pull_request_review:
+    types: [submitted]
+
+# global permissions
+permissions: {}
+
+jobs:
+  claude:
+    if: |
+      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
+      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      issues: read
+      id-token: write
+      actions: read # Required for Claude to read CI results on PRs
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude Code
+        id: claude
+        uses: anthropics/claude-code-action@v1
+        with:
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          
+          # This is an optional setting that allows Claude to read CI results on PRs
+          additional_permissions: |
+            actions: read
+
+          # Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.
+          # prompt: 'Update the pull request description to include a summary of changes.'
+
+          # Optional: Add claude_args to customize behavior and configuration
+          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
+          # or https://docs.claude.com/en/docs/claude-code/sdk#command-line for available options
+          # claude_args: '--model claude-opus-4-1-20250805 --allowed-tools Bash(gh pr:*)'
+

CLAUDE.md

@@ -0,0 +1,53 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+This is a Hugo-based static website for the FINI Domain Trust project, which maintains domain ownership to prevent spam and abuse. The site is published to GitHub Pages via GitHub Actions.
+
+## Architecture
+
+- **Hugo Site Root**: `trust/` directory contains all Hugo configuration and content
+- **Theme**: Uses the Ananke theme as a git submodule at `trust/themes/ananke`
+- **Published Output**: `trust/public/` directory (symlinked as `html` at repo root)
+- **GitHub Pages**: Automated deployment via `.github/workflows/github-pages.yml` which pushes `trust/public` to the `gh-pages` branch on every push to `main`
+
+## Common Commands
+
+All Hugo commands must be run from the `trust/` directory:
+
+```bash
+cd trust
+
+# Build the site (generates static files in public/)
+hugo
+
+# Run development server with live reload
+hugo server
+
+# Run development server with drafts visible
+hugo server -D
+
+# Clean build artifacts
+rm -rf public/ resources/
+```
+
+## Content Structure
+
+- **Main Content**: `trust/content/_index.md` is the homepage
+- **Configuration**: `trust/hugo.toml` contains site configuration and social links
+- **Static Assets**: `trust/static/` for images and other static files
+- **Archetypes**: `trust/archetypes/default.md` for content templates
+
+## Git Submodules
+
+The Ananke theme is included as a git submodule. When cloning fresh or after theme updates:
+
+```bash
+git submodule update --init --recursive
+```
+
+## Deployment
+
+The site automatically deploys to GitHub Pages when changes are pushed to `main`. The workflow builds Hugo if needed (though currently commented out) and publishes `trust/public/` to the `gh-pages` branch.