From 9ce3cf55fc5f8cb8e8c86e505a56d7e956b459f4 Mon Sep 17 00:00:00 2001 From: LUIS NOVO Date: Tue, 13 Jan 2026 18:40:18 -0300 Subject: [PATCH 1/3] fix: allow claude code review workflow to run on PRs from forks Switch from pull_request to pull_request_target event to enable OIDC token access for external contributor PRs. This allows the Claude Code action to authenticate properly when reviewing PRs from forks. Also added explicit PR head SHA ref to checkout to ensure we review the correct code. Fixes workflow failure: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL --- .github/workflows/claude-code-review.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml index b5e8cfd..743483e 100644 --- a/.github/workflows/claude-code-review.yml +++ b/.github/workflows/claude-code-review.yml @@ -1,7 +1,7 @@ name: Claude Code Review on: - pull_request: + pull_request_target: types: [opened, synchronize, ready_for_review, reopened] # Optional: Only run on specific file changes # paths: @@ -29,6 +29,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 with: + ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 1 - name: Run Claude Code Review From faa652dce796d171a80bbe7f3fd5564420cca0f0 Mon Sep 17 00:00:00 2001 From: LUIS NOVO Date: Tue, 13 Jan 2026 18:44:23 -0300 Subject: [PATCH 2/3] fix: add pull_request trigger alongside pull_request_target Add both pull_request and pull_request_target triggers to support: - pull_request: Same-repo PRs (works immediately with changed workflow) - pull_request_target: Fork PRs (provides OIDC tokens) This resolves the chicken-and-egg problem where pull_request_target uses the base branch's workflow file, preventing the workflow from running when the workflow file itself is changed in the PR. --- .github/workflows/claude-code-review.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml index 743483e..f46ed0a 100644 --- a/.github/workflows/claude-code-review.yml +++ b/.github/workflows/claude-code-review.yml @@ -1,6 +1,8 @@ name: Claude Code Review on: + pull_request: + types: [opened, synchronize, ready_for_review, reopened] pull_request_target: types: [opened, synchronize, ready_for_review, reopened] # Optional: Only run on specific file changes From 21b6809277c3b809fa415b6b227f76582c6facf4 Mon Sep 17 00:00:00 2001 From: LUIS NOVO Date: Tue, 13 Jan 2026 18:47:36 -0300 Subject: [PATCH 3/3] security: add persist-credentials false to checkout step Prevent GITHUB_TOKEN from being stored in .git/config when checking out PR code in pull_request_target workflows. This is a security best practice to prevent untrusted code from potentially accessing stored credentials. While the Claude Code action doesn't execute arbitrary PR code, this follows defense-in-depth security principles to minimize attack surface when handling untrusted code from forks. --- .github/workflows/claude-code-review.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml index f46ed0a..e049561 100644 --- a/.github/workflows/claude-code-review.yml +++ b/.github/workflows/claude-code-review.yml @@ -33,6 +33,7 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 1 + persist-credentials: false - name: Run Claude Code Review id: claude-review