目标:将 Claude Code 集成到 CI/CD 流水线,实现自动化代码审查和测试
预计时间:30 分钟
对应官方文档:GitHub Actions、GitLab CI/CD
CI/CD 流水线架构
CI/CD 中的 Claude Code
使用场景
| 场景 | 说明 |
|---|---|
| 自动代码审查 | PR 创建时自动审查代码 |
| 测试生成 | 为新增代码自动生成测试 |
| 文档更新 | API 变更时自动更新文档 |
| 安全扫描 | 检查潜在的安全漏洞 |
| 依赖更新 | 自动审查依赖升级影响 |
GitHub Actions 集成
基础配置
# .github/workflows/claude-review.yaml
name: Claude Code Review
on:
pull_request:
types: [opened, synchronize]
jobs:
review:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup Claude Code
uses: anthropic/claude-code-action@v1
with:
api-key: ${{ secrets.ANTHROPIC_API_KEY }}
- name: Run Code Review
run: |
claude review-pr \
--pr ${{ github.event.pull_request.number }} \
--repo ${{ github.repository }} \
--output review.md
- name: Post Review
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const review = fs.readFileSync('review.md', 'utf8');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: review
});高级:多维度审查
# .github/workflows/claude-advanced-review.yaml
name: Advanced Claude Review
on:
pull_request:
paths:
- 'src/**'
- 'tests/**'
jobs:
security-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: anthropic/claude-code-action@v1
with:
api-key: ${{ secrets.ANTHROPIC_API_KEY }}
- name: Security Review
run: |
claude review \
--focus security \
--files ${{ steps.changed-files.outputs.all }} \
--output security-report.md
- name: Upload Security Report
uses: actions/upload-artifact@v4
with:
name: security-report
path: security-report.md
performance-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: anthropic/claude-code-action@v1
- name: Performance Review
run: |
claude review \
--focus performance \
--output performance-report.md
test-generation:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: anthropic/claude-code-action@v1
- name: Generate Tests
run: |
claude generate-tests \
--for-files ${{ steps.changed-files.outputs.added }} \
--output new-tests/
- name: Commit Tests
run: |
git config user.name "Claude CI"
git config user.email "[email protected]"
git add new-tests/
git commit -m "test: auto-generated tests for PR #${{ github.event.pull_request.number }}"
git pushGitLab CI/CD 集成
基础配置
# .gitlab-ci.yml
stages:
- review
- test
variables:
ANTHROPIC_API_KEY: $ANTHROPIC_API_KEY
claude-review:
stage: review
image: anthropic/claude-code:latest
script:
- claude review-mr
--mr-id $CI_MERGE_REQUEST_IID
--project $CI_PROJECT_PATH
--output claude-review.md
artifacts:
reports:
codequality: claude-review.md
expire_in: 1 week
only:
- merge_requests
claude-test-gen:
stage: test
image: anthropic/claude-code:latest
script:
- claude generate-tests
--diff-from $CI_MERGE_REQUEST_DIFF_BASE_SHA
--output generated-tests/
- pytest generated-tests/ -v
artifacts:
when: always
reports:
junit: generated-tests/report.xml自动化测试生成
配置
# .github/workflows/auto-test.yaml
name: Auto Generate Tests
on:
push:
branches: [main]
jobs:
generate-tests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Detect New Functions
id: detect
run: |
# 找出新增的无测试函数
python scripts/find_untested.py > untested.json
- name: Generate Tests with Claude
run: |
claude generate-tests \
--functions $(cat untested.json | jq -r '.[].name') \
--style pytest \
--output tests/auto/
- name: Run Generated Tests
run: pytest tests/auto/ -v --tb=short
- name: Create PR with Tests
uses: peter-evans/create-pull-request@v6
with:
title: "test: auto-generated tests"
body: "Generated by Claude Code CI"
branch: auto-tests完整的 GitHub Actions 生产配置
# .github/workflows/claude-prod-review.yaml
name: Claude Code Production Review
on:
pull_request:
types: [opened, synchronize, reopened]
paths:
- 'src/**'
- 'lib/**'
- 'app/**'
jobs:
# 阶段 1:并行分析
analyze:
runs-on: ubuntu-latest
outputs:
files: ${{ steps.changes.outputs.files }}
count: ${{ steps.changes.outputs.count }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Detect Changes
id: changes
run: |
files=$(git diff --name-only origin/${{ github.base_ref }}...HEAD | grep -E '\.(py|js|ts|go|rs)$' | tr '\n' ' ')
echo "files=$files" >> $GITHUB_OUTPUT
echo "count=$(echo $files | wc -w)" >> $GITHUB_OUTPUT
# 阶段 2:安全审查(最高优先级)
security-review:
needs: analyze
if: needs.analyze.outputs.count > 0
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- uses: actions/checkout@v4
- name: Security Review with Claude
uses: anthropic/claude-code-action@v1
with:
api-key: ${{ secrets.ANTHROPIC_API_KEY }}
model: claude-opus-4-7
prompt: |
审查以下文件的安全性:
${{ needs.analyze.outputs.files }}
重点关注:
1. SQL 注入、XSS、CSRF
2. 敏感信息硬编码
3. 不安全的反序列化
4. 权限绕过
5. 依赖漏洞
输出格式:
- [CRITICAL/HIGH/MEDIUM/LOW] 问题描述
- 具体位置(文件:行号)
- 修复建议(含代码示例)
- CVSS 评分(如适用)
- name: Post Security Report
uses: actions/github-script@v7
with:
script: |
const report = require('fs').readFileSync('security-report.md', 'utf8');
const critical = (report.match(/CRITICAL/g) || []).length;
const high = (report.match(/HIGH/g) || []).length;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `## 🔒 Claude Code 安全审查报告\n\n${report}\n\n**统计**: CRITICAL ${critical} | HIGH ${high}`
});
// 如果有 CRITICAL,标记检查失败
if (critical > 0) {
core.setFailed('发现 CRITICAL 安全问题!');
}
# 阶段 3:性能审查
performance-review:
needs: [analyze, security-review]
if: needs.analyze.outputs.count > 0
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Performance Review
uses: anthropic/claude-code-action@v1
with:
api-key: ${{ secrets.ANTHROPIC_API_KEY }}
model: claude-sonnet-4-6
prompt: |
审查代码性能问题:
${{ needs.analyze.outputs.files }}
关注:
1. 时间复杂度(是否有 O(n²) 可以优化)
2. 数据库查询(N+1 问题)
3. 内存泄漏
4. 不必要的 I/O
5. 缓存策略
# 阶段 4:自动测试生成
auto-test:
needs: [analyze, security-review]
if: needs.analyze.outputs.count > 0
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Generate Tests
uses: anthropic/claude-code-action@v1
with:
api-key: ${{ secrets.ANTHROPIC_API_KEY }}
model: claude-sonnet-4-6
prompt: |
为本次 PR 新增/修改的代码生成测试:
${{ needs.analyze.outputs.files }}
要求:
1. 覆盖所有新增功能
2. 包含边界条件测试
3. 包含异常处理测试
4. 遵循项目现有测试风格
- name: Commit Tests
run: |
git config user.name "Claude CI"
git config user.email "[email protected]"
git add tests/
git diff --cached --quiet || git commit -m "test: auto-generated by Claude Code"
git push
# 阶段 5:汇总报告
summary:
needs: [security-review, performance-review, auto-test]
runs-on: ubuntu-latest
if: always()
steps:
- name: Generate Summary
run: |
echo "## Claude Code CI 审查总结" >> $GITHUB_STEP_SUMMARY
echo "| 检查项 | 状态 |" >> $GITHUB_STEP_SUMMARY
echo "|--------|------|" >> $GITHUB_STEP_SUMMARY
echo "| 安全审查 | ${{ needs.security-review.result }} |" >> $GITHUB_STEP_SUMMARY
echo "| 性能审查 | ${{ needs.performance-review.result }} |" >> $GITHUB_STEP_SUMMARY
echo "| 测试生成 | ${{ needs.auto-test.result }} |" >> $GITHUB_STEP_SUMMARY最佳实践
| ✅ 推荐 | ❌ 避免 |
|---|---|
| 限制 AI 的权限(只读审查) | 给 CI 完全写入权限 |
| 人工最终确认重要修改 | 自动合并 AI 的更改 |
| 并行运行多个审查维度 | 串行执行浪费时间 |
| 保存审查报告备查 | 审查结果不保存 |
| 设置超时防止挂起 | 无限制运行 |