feat: integrate Claude Code with automated GitLab CI/CD code review

李星穎requested to merge
feature/claude-hook into main

What does this MR do?

Integrates Claude Code into the development workflow by adding workspace configuration and automated code review capabilities via GitLab CI/CD pipeline. This enables AI-powered code reviews to run automatically on merge requests when triggered.

Key additions:

  1. Claude Code workspace settings (.claude/settings.json) - Configures permissions, security boundaries, and plugin integrations
  2. GitLab CI pipeline (.gitlab-ci.yml) - Automates code review process using Claude Code CLI

Why was this MR needed?

This integration enhances the development workflow by:

  • Providing automated, consistent code reviews using AI
  • Integrating with custom big-data-tools plugin marketplace for specialized review capabilities
  • Establishing security boundaries (preventing access to .env* and secrets/**)
  • Enabling developer-suite and git-specialists plugins for enhanced development assistance

The automated code review helps catch potential issues early, maintains code quality standards, and provides structured feedback on security, performance, and maintainability concerns.

How was it implemented?

Claude Code Configuration (.claude/settings.json):

  • Grants permissions for git operations, curl requests, file editing, and reading
  • Explicitly denies access to sensitive files (environment variables, secrets)
  • Enables two plugin suites: developer-suite and git-specialists
  • Configures custom marketplace at https://biglab.buygta.today/resource-plan/claude-code-plugin-marketplace.git

GitLab CI Pipeline (.gitlab-ci.yml):

  • Runs in review stage using node:24-alpine3.21 image
  • Installs Claude Code CLI via npm globally
  • Fetches target branch and generates diff of changes
  • Constructs review prompt with changed files and diff content
  • Invokes Claude Code reviewer sub-agent to analyze changes
  • Posts review comments directly to the merge request via GitLab API
  • Triggered only when CLAUDE_REVIEW=true and MR_IID is set
  • Configured with allow_failure: true to prevent blocking pipelines

Environment Requirements:

  • GITLAB_TOKEN_FOR_CLAUDE_CODE: GitLab personal access token with API permissions
  • CLAUDE_REVIEW: Set to "true" to trigger the review job
  • MR_IID: Merge request IID (automatically provided by GitLab CI)

How to test:

1. Verify Claude Code workspace configuration:

# Clone the repository
git checkout feature/claude-hook

# Verify settings file exists and is valid JSON
cat .claude/settings.json | jq .

# Expected: Valid JSON with permissions, enabledPlugins, and extraKnownMarketplaces

2. Test Claude Code locally (if you have Claude Code CLI installed):

# Check if Claude Code respects the permissions
claude --help

# Verify custom marketplace is accessible (requires authentication)

3. Test GitLab CI pipeline:

# Option A: Create a test merge request
# 1. Create a new branch with some changes
git checkout -b test/claude-review
echo "test" > test-file.txt
git add test-file.txt
git commit -m "test: verify Claude Code review"
git push origin test/claude-review

# 2. Create MR in GitLab UI targeting 'main'
# 3. In the MR, manually trigger pipeline with CLAUDE_REVIEW=true variable
# 4. Check pipeline logs and MR comments for Claude review output

# Option B: Manual pipeline trigger
# 1. Go to CI/CD > Pipelines in GitLab
# 2. Click "Run pipeline"
# 3. Add variable: CLAUDE_REVIEW = true
# 4. Add variable: MR_IID = <your-mr-id>
# 5. Run and observe logs

4. Verify security boundaries:

# Create a test .env file (don't commit!)
echo "SECRET=test123" > .env

# Claude Code should NOT be able to read this file based on deny rules
# (This would need to be tested in an actual Claude Code session)

Expected Results:

  • Settings file loads without errors
  • CI pipeline runs successfully when CLAUDE_REVIEW=true
  • Claude Code posts review comments to the MR
  • Sensitive files (.env, secrets/) remain inaccessible to Claude
  • Pipeline allows failure without blocking other jobs

Files Changed:

New files:

  • .claude/settings.json (26 lines) - Claude Code workspace configuration
  • .gitlab-ci.yml (56 lines) - GitLab CI/CD pipeline definition

Total: 2 files changed, 82 insertions(+)

Technical Notes:

  1. Pipeline Trigger: The review job only runs when explicitly enabled via CLAUDE_REVIEW=true variable to avoid unnecessary API consumption
  2. Non-blocking: allow_failure: true ensures review failures don't block the pipeline
  3. Security: GitLab token must have api scope for posting comments
  4. Language: Pipeline comments include Chinese characters ("確保有目標分支") - consider internationalization if needed
  5. Dependencies: Requires node:24-alpine3.21, git, curl, bash, jq, and Claude Code CLI

Before / After:

Before:

  • Manual code review process only
  • No AI-assisted code analysis
  • No workspace configuration for Claude Code

After:

  • Automated AI-powered code reviews via GitLab CI
  • Configurable Claude Code workspace with security boundaries
  • Integration with custom plugin marketplace
  • Structured feedback on code quality, security, and performance

🤖 Generated with Claude Code

Merge request reports

問題回報系統 / 產品常見問題FAQ