wylab/claude-hub
1
0
Fork 0
forked from claude-did-this/claude-hub
Code Issues 1 Pull Requests Activity
Files
24d849cedd72afc8c839a570dfd82d6485f4592a
claude-hub/README.md
Jonathan Flatt 24d849cedd feat: add brain factory image to assets folder 
- Added brain_factory.png to new assets/ directory
- Updated README to reference image in assets folder
- Maintains proper project structure with dedicated assets location

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-05-27 01:00:47 +00:00

7.8 KiB
Raw Blame History

Claude GitHub Webhook

CI Pipeline Security Scans Jest Tests Code Coverage Node.js Version License

Claude GitHub Webhook brain factory - AI brain connected to GitHub octocat via assembly line of Docker containers

Deploy Claude Code as a GitHub bot. Mention @Claude in any issue or PR, and watch AI-powered code analysis happen in real-time. Production-ready microservice with container isolation, automated PR reviews, and intelligent issue labeling.

What This Does

# In any GitHub issue or PR:
@ClaudeBot explain this code architecture
@ClaudeBot review this PR for security vulnerabilities  
@ClaudeBot suggest performance improvements

Claude analyzes your entire repository context, understands your codebase, and provides expert-level responses directly in GitHub comments. No context switching. No manual copy-paste. Just seamless AI integration where you work.

Key Features

Intelligent Automation 🤖

  • Auto-labeling: New issues automatically tagged by content analysis
  • PR Reviews: Comprehensive code reviews when CI checks pass
  • Context-aware: Claude understands your entire repository structure
  • Stateless execution: Each request runs in isolated Docker containers

Performance Architecture

  • Parallel test execution with strategic runner distribution
  • Conditional Docker builds (only when code changes)
  • Repository caching for sub-second response times
  • Advanced build profiling with timing metrics

Enterprise Security 🔒

  • Webhook signature verification (HMAC-SHA256)
  • AWS IAM role-based authentication
  • Pre-commit credential scanning
  • Container isolation with minimal permissions
  • Fine-grained GitHub token scoping

Quick Start

# Clone and setup
git clone https://github.com/yourusername/claude-github-webhook.git
cd claude-github-webhook
./scripts/setup/setup-secure-credentials.sh

# Launch with Docker Compose
docker compose up -d

Service runs on http://localhost:8082 by default.

Production Deployment

1. Environment Configuration

# Core settings
BOT_USERNAME=@ClaudeBot              # GitHub mention trigger
GITHUB_WEBHOOK_SECRET=<generated>     # Webhook validation
GITHUB_TOKEN=<fine-grained-pat>       # Repository access

# AWS Bedrock (recommended)
AWS_REGION=us-east-1
ANTHROPIC_MODEL=anthropic.claude-3-sonnet-20240229-v1:0
CLAUDE_CODE_USE_BEDROCK=1

# Security
AUTHORIZED_USERS=user1,user2,user3    # Allowed GitHub usernames
CLAUDE_API_AUTH_REQUIRED=1            # Enable API authentication

2. GitHub Webhook Setup

  1. Navigate to Repository → Settings → Webhooks
  2. Add webhook:
    • Payload URL: https://your-domain.com/api/webhooks/github
    • Content type: application/json
    • Secret: Your GITHUB_WEBHOOK_SECRET
    • Events: Select "Send me everything"

3. AWS Authentication Options

# Option 1: IAM Instance Profile (EC2)
# Automatically uses instance metadata

# Option 2: ECS Task Role
# Automatically uses container credentials

# Option 3: AWS Profile
./scripts/aws/setup-aws-profiles.sh

# Option 4: Static Credentials (not recommended)
AWS_ACCESS_KEY_ID=xxx
AWS_SECRET_ACCESS_KEY=xxx

Advanced Usage

Direct API Access

Integrate Claude without GitHub webhooks:

curl -X POST http://localhost:8082/api/claude \
  -H "Content-Type: application/json" \
  -d '{
    "repoFullName": "owner/repo",
    "command": "Analyze security vulnerabilities",
    "authToken": "your-token",
    "useContainer": true
  }'

CLI Tool

# Basic usage
./cli/claude-webhook myrepo "Review the authentication flow"

# PR review
./cli/claude-webhook owner/repo "Review this PR" -p -b feature-branch

# Specific issue
./cli/claude-webhook myrepo "Fix this bug" -i 42

Container Execution Modes

Different operations use tailored security profiles:

  • Auto-tagging: Minimal permissions (Read + GitHub tools only)
  • PR Reviews: Standard permissions (full tool access)
  • Custom Commands: Configurable via --allowedTools flag

Architecture Deep Dive

Request Flow

GitHub Event → Webhook Endpoint → Signature Verification
     ↓                                      ↓
Container Spawn ← Command Parser ← Event Processor
     ↓
Claude Analysis → GitHub API → Comment/Label/Review

Container Lifecycle

  1. Spawn: New Docker container per request
  2. Clone: Repository fetched (or cache hit)
  3. Execute: Claude analyzes with configured tools
  4. Respond: Results posted via GitHub API
  5. Cleanup: Container destroyed, cache updated

Security Layers

  • Network: Webhook signature validation
  • Authentication: GitHub user allowlist
  • Authorization: Fine-grained token permissions
  • Execution: Container isolation
  • Tools: Operation-specific allowlists

Performance Tuning

Repository Caching

REPO_CACHE_DIR=/cache/repos
REPO_CACHE_MAX_AGE_MS=3600000    # 1 hour

Container Optimization

CONTAINER_LIFETIME_MS=7200000     # 2 hour timeout
CLAUDE_CONTAINER_IMAGE=claudecode:latest

CI/CD Pipeline

  • Parallel Jest test execution
  • Docker layer caching
  • Conditional image builds
  • Self-hosted runners for heavy operations

Monitoring & Debugging

Health Check

curl http://localhost:8082/health

Logs

docker compose logs -f webhook

Test Suite

npm test                    # All tests
npm run test:unit          # Unit only
npm run test:integration   # Integration only
npm run test:coverage      # With coverage report

Debug Mode

DEBUG=claude:* npm run dev

Documentation

Contributing

Development Setup

# Install dependencies
npm install

# Setup pre-commit hooks
./scripts/setup/setup-precommit.sh

# Run in dev mode
npm run dev

Code Standards

  • Node.js 20+ with async/await patterns
  • Jest for testing with >80% coverage target
  • ESLint + Prettier for code formatting
  • Conventional commits for version management

Security Checklist

  • No hardcoded credentials
  • All inputs sanitized
  • Webhook signatures verified
  • Container permissions minimal
  • Logs redact sensitive data

Troubleshooting

Common Issues

Webhook not responding

  • Verify signature secret matches
  • Check GitHub token permissions
  • Confirm webhook URL is accessible

Claude timeouts

  • Increase CONTAINER_LIFETIME_MS
  • Check AWS Bedrock quotas
  • Verify network connectivity

Permission denied

  • Confirm user in AUTHORIZED_USERS
  • Check GitHub token scopes
  • Verify AWS IAM permissions

Support

License

MIT - See the LICENSE file for details.

Reference in New Issue View Git Blame Copy Permalink