Skip to content
Latchkey

Claude Code workflow (nats-io/nats-server)

The Claude Code workflow from nats-io/nats-server, explained and optimized by Latchkey.

B

CI health: B - good

Run this on Latchkey for self-healing, caching, and up to 58% lower cost.

Grade your own workflow free or run it on Latchkey →
Source: nats-io/nats-server.github/workflows/claude.ymlLicense Apache-2.0View source

What it does

This is the Claude Code workflow from the nats-io/nats-server repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: Claude Code

# GITHUB_TOKEN needs contents:read and actions:read - required by
# claude-code-action for restoring trusted config files from the base branch.
# All other GitHub API access uses the App token.
permissions:
  contents: read
  actions: read

on:
  issue_comment:
    types: [created]
  pull_request_review_comment:
    types: [created]
  pull_request_target:
    types: [opened, reopened]

jobs:
  claude:
    name: Claude Review
    uses: synadia-io/ai-workflows/.github/workflows/claude.yml@v2
    if: contains(
      fromJson('["OWNER","MEMBER","COLLABORATOR"]'),
      github.event.comment.author_association || github.event.pull_request.author_association
      )
    with:
      gh_app_id: ${{ vars.CLAUDE_GH_APP_ID }}
      checkout_mode: "base"
      # review_focus is used only by the auto-review job (pull_request_target), not the
      # interactive @claude job - so the check below only needs github.event.pull_request,
      # which pull_request_target populates. On issue_comment events that field is absent,
      # so this evaluates to startsWith(null, 'backports/') -> false; harmless, since the
      # interactive job ignores review_focus. Can't be fixed in-expression: issue_comment
      # payloads carry no head ref at all.
      review_focus: |
        ${{ startsWith(github.event.pull_request.head.ref, 'backports/') && '
        This is a BACKPORT / RELEASE pull request. Every cherry-picked commit
        originates from a PR that was already independently reviewed and approved
        on the source branch. Do NOT re-review the individual code changes and do
        NOT comment on the implementation of cherry-picked hunks - assume they are
        correct.

        Instead, focus exclusively on:
        - Cherry-pick completeness. Inspect the PRs/commits included in this
          backport. For each source PR, check its milestone, labels, and target
          branch to decide whether it belongs in this release line. Flag any PR
          that targets this release but is MISSING here, and any included PR that
          does not belong.
        - Non-clean picks. Call out commits that appear to have been modified
          during the cherry-pick (conflict resolution, adapted context) - those
          are the only changes that warrant a closer look.
        - Release overview. Produce a concise summary of what this release ships,
          grouped by area (JetStream, Raft/NRG, leafnodes, security, etc.), so
          reviewers can sanity-check the scope at a glance.
        ' || '
        Additionally focus on:
        - Performance implications (hot paths, allocations, lock contention)
        - Concurrency safety (goroutine leaks, race conditions, deadlocks)
        - Raft consensus and JetStream clustering correctness
        - Security boundaries (authentication, authorization, TLS handling)
        ' }}
    secrets:
      claude_oauth_token: ${{ secrets.CLAUDE_OAUTH_TOKEN }}
      gh_app_private_key: ${{ secrets.CLAUDE_GH_APP_PRIVATE_KEY }}

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

name: Claude Code
 
# GITHUB_TOKEN needs contents:read and actions:read - required by
# claude-code-action for restoring trusted config files from the base branch.
# All other GitHub API access uses the App token.
permissions:
  contents: read
  actions: read
 
on:
  issue_comment:
    types: [created]
  pull_request_review_comment:
    types: [created]
  pull_request_target:
    types: [opened, reopened]
 
jobs:
  claude:
    timeout-minutes: 30
    name: Claude Review
    uses: synadia-io/ai-workflows/.github/workflows/claude.yml@v2
    if: contains(
      fromJson('["OWNER","MEMBER","COLLABORATOR"]'),
      github.event.comment.author_association || github.event.pull_request.author_association
      )
    with:
      gh_app_id: ${{ vars.CLAUDE_GH_APP_ID }}
      checkout_mode: "base"
      # review_focus is used only by the auto-review job (pull_request_target), not the
      # interactive @claude job - so the check below only needs github.event.pull_request,
      # which pull_request_target populates. On issue_comment events that field is absent,
      # so this evaluates to startsWith(null, 'backports/') -> false; harmless, since the
      # interactive job ignores review_focus. Can't be fixed in-expression: issue_comment
      # payloads carry no head ref at all.
      review_focus: |
        ${{ startsWith(github.event.pull_request.head.ref, 'backports/') && '
        This is a BACKPORT / RELEASE pull request. Every cherry-picked commit
        originates from a PR that was already independently reviewed and approved
        on the source branch. Do NOT re-review the individual code changes and do
        NOT comment on the implementation of cherry-picked hunks - assume they are
        correct.
 
        Instead, focus exclusively on:
        - Cherry-pick completeness. Inspect the PRs/commits included in this
          backport. For each source PR, check its milestone, labels, and target
          branch to decide whether it belongs in this release line. Flag any PR
          that targets this release but is MISSING here, and any included PR that
          does not belong.
        - Non-clean picks. Call out commits that appear to have been modified
          during the cherry-pick (conflict resolution, adapted context) - those
          are the only changes that warrant a closer look.
        - Release overview. Produce a concise summary of what this release ships,
          grouped by area (JetStream, Raft/NRG, leafnodes, security, etc.), so
          reviewers can sanity-check the scope at a glance.
        ' || '
        Additionally focus on:
        - Performance implications (hot paths, allocations, lock contention)
        - Concurrency safety (goroutine leaks, race conditions, deadlocks)
        - Raft consensus and JetStream clustering correctness
        - Security boundaries (authentication, authorization, TLS handling)
        ' }}
    secrets:
      claude_oauth_token: ${{ secrets.CLAUDE_OAUTH_TOKEN }}
      gh_app_private_key: ${{ secrets.CLAUDE_GH_APP_PRIVATE_KEY }}
 

What changed

1 third-party action is referenced by a movable tag. Pin it to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.

This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.