把 Claude Code 整合进 CI/CD 流水线,实现自动代码审查、PR 描述生成、测试覆盖分析——这些以前需要人工完成的任务,现在可以完全自动化。
模式 1:PR 自动代码审查
当有 PR 创建时,自动触发 Claude Code 审查,把结果作为评论发到 PR 上。
yaml
# .github/workflows/claude-review.yml
name: Claude Code Review
on:
pull_request:
types: [opened, synchronize]
paths:
- 'src/**'
- '*.ts'
- '*.tsx'
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # 需要完整历史来生成 diff
- name: 安装 Claude Code
run: npm install -g @anthropic-ai/claude-code
- name: 生成 PR diff
run: |
git diff origin/main...HEAD > pr_diff.txt
echo "PR_DIFF<<EOF" >> $GITHUB_ENV
cat pr_diff.txt >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV
- name: Claude Code 审查
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
run: |
claude --print --no-stream "
审查以下 PR 改动,按优先级输出问题:
${{ env.PR_DIFF }}
输出格式:
## 🔴 必须修改
## 🟡 建议修改
## 💡 可以考虑
如果没有问题,说'代码质量良好,无重大问题。'
" > review_result.txt
- name: 发布审查结果到 PR
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const review = fs.readFileSync('review_result.txt', 'utf8');
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: `## 🤖 Claude Code 自动审查\n\n${review}`
});模式 2:自动生成 PR 描述
新 PR 创建时,如果没有描述,自动生成:
yaml
# .github/workflows/auto-pr-description.yml
name: Auto PR Description
on:
pull_request:
types: [opened]
jobs:
generate-description:
runs-on: ubuntu-latest
if: github.event.pull_request.body == '' # 只在没有描述时运行
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: 安装 Claude Code
run: npm install -g @anthropic-ai/claude-code
- name: 生成 PR 描述
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
run: |
git log origin/main..HEAD --oneline > commits.txt
git diff origin/main...HEAD --stat > changed_files.txt
claude --print --no-stream "
基于以下信息生成 GitHub PR 描述:
Commits:
$(cat commits.txt)
变更文件:
$(cat changed_files.txt)
生成 Markdown 格式的 PR 描述,包含:
## 改动内容
## 改动类型(新功能/Bug修复/重构/文档)
## 测试说明
" > pr_description.txt
- name: 更新 PR 描述
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const description = fs.readFileSync('pr_description.txt', 'utf8');
await github.rest.pulls.update({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.issue.number,
body: description
});模式 3:测试覆盖率分析和建议
yaml
# .github/workflows/coverage-analysis.yml
name: Coverage Analysis
on:
pull_request:
paths: ['src/**']
jobs:
analyze:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: 运行测试并生成覆盖率报告
run: |
npm ci
npm run test:coverage -- --coverage-reporter=json-summary
- name: Claude Code 分析覆盖率
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
run: |
npm install -g @anthropic-ai/claude-code
claude --print --no-stream "
分析这个测试覆盖率报告,找出覆盖率低的高风险区域:
$(cat coverage/coverage-summary.json)
重点关注:
1. 覆盖率低于 60% 的文件
2. 包含业务逻辑但覆盖率低的文件(src/services/, src/lib/)
3. 给出 3-5 条最优先需要增加测试的建议
" > coverage_analysis.txt
- name: 发布覆盖率分析
uses: actions/github-script@v7
if: github.event_name == 'pull_request'
with:
script: |
const fs = require('fs');
const analysis = fs.readFileSync('coverage_analysis.txt', 'utf8');
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: `## 📊 测试覆盖率分析\n\n${analysis}`
});模式 4:安全扫描自动化
yaml
# .github/workflows/security-scan.yml
name: Security Scan
on:
pull_request:
paths: ['src/api/**', 'src/lib/auth/**', 'src/middleware/**']
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Claude Code 安全审查
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
run: |
npm install -g @anthropic-ai/claude-code
CHANGED_FILES=$(git diff origin/main...HEAD --name-only | grep -E '\.(ts|js)$' | head -20)
for file in $CHANGED_FILES; do
echo "=== $file ===" >> files_content.txt
cat "$file" >> files_content.txt
echo "" >> files_content.txt
done
claude --print --no-stream "
对以下修改的文件进行安全审查:
$(cat files_content.txt)
检查 OWASP Top 10:
- 注入漏洞(SQL、命令、XSS)
- 认证和会话管理
- 敏感数据暴露
- 权限控制
如果发现 Critical 或 High 级别问题,在输出开头加上 SECURITY_ALERT。
" > security_result.txt
- name: 检查是否有安全警报
run: |
if grep -q "SECURITY_ALERT" security_result.txt; then
echo "::error::发现安全问题,请查看 Security Scan 步骤的详细输出"
cat security_result.txt
exit 1
fi模式 5:变更日志自动生成
yaml
# .github/workflows/changelog.yml
name: Generate Changelog
on:
push:
branches: [main]
tags: ['v*']
jobs:
changelog:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: 生成变更日志
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
run: |
npm install -g @anthropic-ai/claude-code
# 获取上一个 tag 到现在的 commits
PREV_TAG=$(git describe --tags --abbrev=0 HEAD~1 2>/dev/null || echo "")
if [ -n "$PREV_TAG" ]; then
COMMITS=$(git log $PREV_TAG..HEAD --oneline)
else
COMMITS=$(git log --oneline -20)
fi
claude --print --no-stream "
基于以下 commits 生成用户友好的变更日志:
$COMMITS
格式:
## 新功能 🚀
## Bug 修复 🐛
## 性能改进 ⚡
## 破坏性变更 ⚠️(如果有)
用非技术语言,从用户角度描述。跳过纯内部或 chore 类 commits。
" > CHANGELOG_NEW.md
# 合并到现有 CHANGELOG
if [ -f CHANGELOG.md ]; then
cat CHANGELOG.md >> CHANGELOG_NEW.md
fi
mv CHANGELOG_NEW.md CHANGELOG.md
- name: 提交变更日志
run: |
git config user.name "Claude Code Bot"
git config user.email "claude-bot@example.com"
git add CHANGELOG.md
git commit -m "docs: update CHANGELOG [skip ci]" || true
git push安全配置要点
API Key 管理:
- 在 GitHub Settings → Secrets and Variables → Actions 里添加
ANTHROPIC_API_KEY - 不要在代码里硬编码,不要在日志里打印
- 考虑用 OIDC token 而不是长期 API Key(更安全)
成本控制:
- CI 里用
claude-haiku-4-5(最便宜)处理简单任务 - 安全审查用
claude-sonnet-4-6或以上 - 用
--print参数(非交互模式) - 设置
max_tokens上限防止意外高费用
速率限制:
- 在 CI 里添加重试逻辑
- 并发 PR 多时考虑排队或限流
来源:Anthropic Claude Code 官方文档 | GitHub Actions 文档 | 整理:ClaudeEagle