info
This documentation is automatically synchronized from the claude-hub repository. Last updated: 2025-06-01
Complete Claude GitHub Webhook Workflow
This document provides a comprehensive overview of the entire workflow from GitHub webhook reception to Claude execution and response.
Architecture Overview
GitHub → Webhook Service → Docker Container → Claude API
↓ ↓
←←←←←← GitHub API ←←←←←←←←←←←←←←←←←
Detailed Workflow
1. GitHub Webhook Reception
Endpoint: POST /api/webhooks/github
Handler: src/index.ts:38
- GitHub sends webhook event to the service
- Express middleware captures raw body for signature verification
- Request is passed to the GitHub controller
2. Webhook Verification & Processing
Controller: src/controllers/githubController.ts
Method: handleWebhook()
- Verifies webhook signature using
GITHUB_WEBHOOK_SECRET - Parses event payload
- Supported event types:
issue_comment.createdpull_request_review_comment.createdpull_request.created
3. Command Extraction
- Checks for bot mention in comment body (using BOT_USERNAME env variable)
- Extracts command using regex pattern based on configured bot username
- Captures:
- Repository full name
- Issue/PR number
- Branch information (if PR)
- Command to execute
4. Claude Container Preparation
Service: src/services/claudeService.ts
Method: processCommand()
- Builds Docker image if not exists:
claudecode:latest - Creates unique container name
- Prepares environment variables:
GITHUB_TOKEN
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_REGION
ANTHROPIC_MODEL
CLAUDE_CODE_USE_BEDROCK
REPO_FULL_NAME
ISSUE_NUMBER
TARGET_BRANCH
COMMAND
5. Container Execution
Entrypoint: claudecode-entrypoint.sh
- Configure GitHub CLI authentication
- Clone repository with GitHub token
- Checkout appropriate branch:
- PR branch for pull requests
- Main/default branch for issues
- Set git configuration for commits
- Run Claude Code CLI with command
- Save response to
/tmp/response.md
6. Response Handling
Controller: src/controllers/githubController.ts
Method: handleWebhook()
- Read response from container
- Return response as HTTP JSON response
- Clean up container (if configured)
API Endpoints
Main Webhook Endpoint
- URL:
/api/webhooks/github - Method:
POST - Headers:
X-Hub-Signature-256(GitHub webhook signature) - Purpose: Receives GitHub webhook events
Direct Claude API
- URL:
/api/claude - Method:
POST - Body:
{
"repository": "owner/repo",
"useContainer": true,
"command": "your command here"
} - Purpose: Direct Claude invocation (testing/debugging)
Health Check
- URL:
/health - Method:
GET - Response:
{
"status": "OK",
"docker": true,
"timestamp": "2024-11-03T12:00:00.000Z"
} - Purpose: Service health monitoring
Environment Variables
Required
| Variable | Description | Example |
|---|---|---|
GITHUB_TOKEN | GitHub personal access token | your_github_token |
GITHUB_WEBHOOK_SECRET | Webhook signature secret | your-secret |
AWS_ACCESS_KEY_ID | AWS access key for Bedrock | your_access_key_id |
AWS_SECRET_ACCESS_KEY | AWS secret key | xxxxx |
Optional
| Variable | Description | Default |
|---|---|---|
AWS_REGION | AWS region for Bedrock | us-east-1 |
ANTHROPIC_MODEL | Claude model to use | anthropic.claude-3-sonnet-20240229-v1:0 |
CLAUDE_CODE_USE_BEDROCK | Use Bedrock (vs API) | 1 |
PORT | Service port | 3002 |
LOG_LEVEL | Logging verbosity | info |
CLEANUP_CONTAINERS | Auto-cleanup after execution | false |
Docker Container Lifecycle
Build Phase
Dockerfile.claudecodedefines Claude execution environment- Installs:
- Node.js 20
- GitHub CLI
- AWS CLI
- Claude Code CLI
- Git and utilities
Execution Phase
- Container created with unique name
- Volumes mounted:
/tmp/response.mdfor output- Project directory for access
- Environment variables passed
- Runs
claudecode-entrypoint.sh
Cleanup Phase
- Response file extracted
- Container stopped
- Container removed (if cleanup enabled)
- Volumes cleaned up
Security Considerations
- Webhook Verification: All webhooks verified with HMAC signature
- Container Isolation: Each request runs in isolated container
- Limited Permissions: Claude Code runs with restricted tools
- Token Security: GitHub tokens never exposed in logs
- Network Isolation: Containers run in isolated network
Error Handling
- Webhook Errors: Return 401 for invalid signatures
- Container Errors: Caught and logged, error posted to GitHub
- API Errors: Return appropriate HTTP status codes
- Timeout Handling: Container execution limited to 5 minutes
- Cleanup Errors: Logged but don't fail the request
Testing
Manual Testing
# Test webhook locally using CLI
./cli/claude-webhook owner/repo "Your command"
# Test Claude API directly
node test/test-claude-api.js owner/repo
# Test with container
node test/test-claude-api.js owner/repo container "Your command"
Integration Testing
# Full workflow test
npm test
# Docker container test
./test-claudecode-docker.sh
Deployment
Docker Compose
services:
webhook:
build: .
ports:
- "8082:3002"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
networks:
- n8n_default
Production Considerations
- Use environment-specific
.envfiles - Enable container cleanup for production
- Set appropriate resource limits
- Configure logging for monitoring
- Use webhook URL allowlisting
Troubleshooting
Common Issues
-
Webhook Signature Failures
- Check
GITHUB_WEBHOOK_SECRETmatches GitHub - Verify raw body is captured correctly
- Check
-
Container Build Failures
- Check Docker daemon is running
- Verify Docker socket permissions
-
Claude Errors
- Verify AWS credentials are valid
- Check Bedrock model availability in region
-
GitHub API Errors
- Verify
GITHUB_TOKENhas correct permissions - Check rate limits
- Verify
Debug Commands
# View webhook logs
docker compose logs -f webhook
# List running containers
docker ps -a | grep claude-code
# Debug container directly
docker exec -it <container-id> /bin/bash
# Check Docker connectivity
curl --unix-socket /var/run/docker.sock http://localhost/info