Step 1: Trigger event
A PR is opened, an issue is created, or a scheduled job runs in your CI pipeline
Step 2: Claude Code runs headless
The pipeline invokes Claude Code with --print flag and your prompt. No UI, no interaction
Step 3: Task execution
Claude Code reads the codebase, makes changes, and generates output according to the prompt
Step 4: Result delivered
Changes are committed to a branch, a PR comment is posted, or output is piped to the next step
Start with automated PR reviews
The easiest way to get started with Claude Code in CI/CD is automated PR reviews. Add the official GitHub Action to your repo and configure it to review every PR. Claude Code will read the diff, check for bugs, suggest improvements, and post a review comment. This gives you immediate value with minimal setup.
Example: GitHub Action for PR reviews
Add this to .github/workflows/claude-review.yml in your repository:
name: Claude Code Review
on:
pull_request:
types: [opened, synchronize]
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: anthropics/claude-code-action@main
with:
prompt: |
Review this PR for bugs, security issues,
and code quality. Post a helpful review.
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}This triggers Claude Code on every PR, reads the diff, and posts a detailed code review as a PR comment.
| Trigger | What Claude Code does | |
|---|---|---|
| PR opened | pull_request: opened | Reviews the diff, checks for bugs, suggests improvements |
| Issue created | issues: opened | Analyzes the issue, attempts a fix, opens a PR with the solution |
| PR comment | issue_comment with @claude | Responds to mentions with code suggestions or explanations |
| Scheduled | schedule: cron | Dependency updates, security audits, documentation refreshes |
Security best practices for CI/CD
Always store your API key as a GitHub Secret, never hardcode it. Use the
--allowedTools flag to restrict what Claude Code can do in CI (for example, prevent it from running arbitrary Bash commands). Configure your pipeline so Claude Code creates PRs for review rather than pushing directly to main. Treat CI generated code with the same review standards as human authored code.