chore: add claude workflow (#678)

Author: jking-aus

.github/workflows/claude-code-action.yml

@@ -0,0 +1,79 @@
+name: Claude Code Action
+
+on:
+    pull_request:
+    issue_comment:
+        types: [created]
+
+permissions:
+    id-token: write
+    contents: write
+    pull-requests: write
+    issues: write
+
+jobs:
+    check-membership:
+        runs-on: ubuntu-latest
+        outputs:
+            is-member: ${{ steps.check.outputs.is-member }}
+            should-run: ${{ steps.check.outputs.should-run }}
+        steps:
+            - name: Generate GitHub App token
+              id: app-token
+              uses: actions/create-github-app-token@v2
+              with:
+                  app-id: ${{ vars.APP_ID }}
+                  private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
+            - name: Check if Claude is mentioned and user is org member
+              id: check
+              env:
+                  GH_TOKEN: ${{ steps.app-token.outputs.token }}
+              run: |
+                  USER="${{ github.event.pull_request.user.login || github.event.comment.user.login }}"
+                  COMMENT_BODY="${{ github.event.comment.body }}"
+                  PR_TITLE="${{ github.event.pull_request.title }}"
+                  PR_BODY="${{ github.event.pull_request.body }}"
+
+                  # Check if @claude is mentioned in PR title/body or comment
+                  if [[ "$COMMENT_BODY" == *"@claude"* ]] || [[ "$PR_TITLE" == *"@claude"* ]] || [[ "$PR_BODY" == *"@claude"* ]]; then
+                    echo "should-run=true" >> $GITHUB_OUTPUT
+                  else
+                    echo "should-run=false" >> $GITHUB_OUTPUT
+                    echo "Skipping: @claude not mentioned"
+                    exit 0
+                  fi
+
+                  # Check org membership.
+                  if gh api /orgs/sigp/members/$USER --silent 2>/dev/null; then
+                    echo "is-member=true" >> $GITHUB_OUTPUT
+                  else
+                    echo "is-member=false" >> $GITHUB_OUTPUT
+                    echo "⚠️ User $USER is not a member of sigp organization. Skipping Claude Code Action."
+                  fi
+
+    claude-code:
+        runs-on: ubuntu-latest
+        needs: check-membership
+        if: needs.check-membership.outputs.is-member == 'true' && needs.check-membership.outputs.should-run == 'true'
+        steps:
+            - name: Configure AWS Credentials (OIDC)
+              uses: aws-actions/configure-aws-credentials@v4
+              with:
+                  role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+                  aws-region: us-west-2
+
+            - name: Generate GitHub App token
+              id: app-token
+              uses: actions/create-github-app-token@v2
+              with:
+                  app-id: ${{ vars.APP_ID }}
+                  private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
+            - uses: anthropics/claude-code-action@v1
+              with:
+                  use_bedrock: "true"
+                  claude_args: |
+                      --model anthropic.claude-sonnet-4-5-20250929-v1:0
+              env:
+                  GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}