CI/CD Integration Patterns
Claude Code integrates cleanly into GitHub Actions and GitLab CI via the -p flag. This article covers permission design for headless environments, cost control strategies, three ready-to-use workflow patterns, and the --from-pr flag for PR-linked sessions.
Quick Reference
- →Use claude -p in workflow steps with ANTHROPIC_API_KEY as a CI secret
- →Never use bypassPermissions in CI — use an explicit tool allowlist instead
- →--from-pr <number> resumes a Claude Code session linked to a specific pull request
- →CLAUDE.md is cached — repeated CI runs on the same repo benefit from cache hits
- →Use Haiku for simple classification tasks, Sonnet for deep code review
- →--max-budget-usd prevents runaway costs from large PRs or unexpected input size
- →Permission design: dontAsk mode with explicit Bash/Read/Grep allowlist for CI
- →GitLab CI syntax is identical — just replace GitHub-specific actions with script blocks
Why Claude Code Belongs in CI
CI/CD pipelines run on every push, every PR, every merge. They're the perfect place to embed AI analysis that would be too slow or too easy to skip in interactive development. Security reviews, changelog generation, PR quality checks — these belong in the pipeline where they're automatic and consistent, not ad-hoc in someone's terminal.
Claude Code's -p flag (pipe mode) makes integration straightforward: install the CLI, export the API key, and call claude -p like any other shell command. The rest of your workflow doesn't change.
In CI, there is no human to approve permission prompts. You must pre-configure permissions via a settings file or dontAsk mode. The machine runs unsupervised, so cost caps and restricted tool access are not optional — they're the only thing preventing expensive mistakes.