Claude Code workflow (nats-io/nats-server)
The Claude Code workflow from nats-io/nats-server, explained and optimized by Latchkey.
CI health: B - good
Run this on Latchkey for self-healing, caching, and up to 58% lower cost.
Grade your own workflow free or run it on Latchkey →What it does
This is the Claude Code workflow from the nats-io/nats-server repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Claude Code
# GITHUB_TOKEN needs contents:read and actions:read - required by
# claude-code-action for restoring trusted config files from the base branch.
# All other GitHub API access uses the App token.
permissions:
contents: read
actions: read
on:
issue_comment:
types: [created]
pull_request_review_comment:
types: [created]
pull_request_target:
types: [opened, reopened]
jobs:
claude:
name: Claude Review
uses: synadia-io/ai-workflows/.github/workflows/claude.yml@v2
if: contains(
fromJson('["OWNER","MEMBER","COLLABORATOR"]'),
github.event.comment.author_association || github.event.pull_request.author_association
)
with:
gh_app_id: ${{ vars.CLAUDE_GH_APP_ID }}
checkout_mode: "base"
# review_focus is used only by the auto-review job (pull_request_target), not the
# interactive @claude job - so the check below only needs github.event.pull_request,
# which pull_request_target populates. On issue_comment events that field is absent,
# so this evaluates to startsWith(null, 'backports/') -> false; harmless, since the
# interactive job ignores review_focus. Can't be fixed in-expression: issue_comment
# payloads carry no head ref at all.
review_focus: |
${{ startsWith(github.event.pull_request.head.ref, 'backports/') && '
This is a BACKPORT / RELEASE pull request. Every cherry-picked commit
originates from a PR that was already independently reviewed and approved
on the source branch. Do NOT re-review the individual code changes and do
NOT comment on the implementation of cherry-picked hunks - assume they are
correct.
Instead, focus exclusively on:
- Cherry-pick completeness. Inspect the PRs/commits included in this
backport. For each source PR, check its milestone, labels, and target
branch to decide whether it belongs in this release line. Flag any PR
that targets this release but is MISSING here, and any included PR that
does not belong.
- Non-clean picks. Call out commits that appear to have been modified
during the cherry-pick (conflict resolution, adapted context) - those
are the only changes that warrant a closer look.
- Release overview. Produce a concise summary of what this release ships,
grouped by area (JetStream, Raft/NRG, leafnodes, security, etc.), so
reviewers can sanity-check the scope at a glance.
' || '
Additionally focus on:
- Performance implications (hot paths, allocations, lock contention)
- Concurrency safety (goroutine leaks, race conditions, deadlocks)
- Raft consensus and JetStream clustering correctness
- Security boundaries (authentication, authorization, TLS handling)
' }}
secrets:
claude_oauth_token: ${{ secrets.CLAUDE_OAUTH_TOKEN }}
gh_app_private_key: ${{ secrets.CLAUDE_GH_APP_PRIVATE_KEY }}
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
name: Claude Code # GITHUB_TOKEN needs contents:read and actions:read - required by # claude-code-action for restoring trusted config files from the base branch. # All other GitHub API access uses the App token. permissions: contents: read actions: read on: issue_comment: types: [created] pull_request_review_comment: types: [created] pull_request_target: types: [opened, reopened] jobs: claude: timeout-minutes: 30 name: Claude Review uses: synadia-io/ai-workflows/.github/workflows/claude.yml@v2 if: contains( fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association || github.event.pull_request.author_association ) with: gh_app_id: ${{ vars.CLAUDE_GH_APP_ID }} checkout_mode: "base" # review_focus is used only by the auto-review job (pull_request_target), not the # interactive @claude job - so the check below only needs github.event.pull_request, # which pull_request_target populates. On issue_comment events that field is absent, # so this evaluates to startsWith(null, 'backports/') -> false; harmless, since the # interactive job ignores review_focus. Can't be fixed in-expression: issue_comment # payloads carry no head ref at all. review_focus: | ${{ startsWith(github.event.pull_request.head.ref, 'backports/') && ' This is a BACKPORT / RELEASE pull request. Every cherry-picked commit originates from a PR that was already independently reviewed and approved on the source branch. Do NOT re-review the individual code changes and do NOT comment on the implementation of cherry-picked hunks - assume they are correct. Instead, focus exclusively on: - Cherry-pick completeness. Inspect the PRs/commits included in this backport. For each source PR, check its milestone, labels, and target branch to decide whether it belongs in this release line. Flag any PR that targets this release but is MISSING here, and any included PR that does not belong. - Non-clean picks. Call out commits that appear to have been modified during the cherry-pick (conflict resolution, adapted context) - those are the only changes that warrant a closer look. - Release overview. Produce a concise summary of what this release ships, grouped by area (JetStream, Raft/NRG, leafnodes, security, etc.), so reviewers can sanity-check the scope at a glance. ' || ' Additionally focus on: - Performance implications (hot paths, allocations, lock contention) - Concurrency safety (goroutine leaks, race conditions, deadlocks) - Raft consensus and JetStream clustering correctness - Security boundaries (authentication, authorization, TLS handling) ' }} secrets: claude_oauth_token: ${{ secrets.CLAUDE_OAUTH_TOKEN }} gh_app_private_key: ${{ secrets.CLAUDE_GH_APP_PRIVATE_KEY }}
What changed
- Add a job timeout so a hung step cannot burn hours of runner time.
1 third-party action is referenced by a movable tag. Pin it to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.