Add conditional logic to ensure only one workflow runs per PR:
- pull_request_target: Only for fork PRs (external contributors)
- pull_request: Only for same-repo PRs (internal branches)
This prevents both triggers from firing simultaneously and causing
conflicts or duplicate reviews.
Prevent GITHUB_TOKEN from being stored in .git/config when
checking out PR code in pull_request_target workflows. This
is a security best practice to prevent untrusted code from
potentially accessing stored credentials.
While the Claude Code action doesn't execute arbitrary PR code,
this follows defense-in-depth security principles to minimize
attack surface when handling untrusted code from forks.
Add both pull_request and pull_request_target triggers to support:
- pull_request: Same-repo PRs (works immediately with changed workflow)
- pull_request_target: Fork PRs (provides OIDC tokens)
This resolves the chicken-and-egg problem where pull_request_target
uses the base branch's workflow file, preventing the workflow from
running when the workflow file itself is changed in the PR.
Switch from pull_request to pull_request_target event to enable
OIDC token access for external contributor PRs. This allows the
Claude Code action to authenticate properly when reviewing PRs
from forks.
Also added explicit PR head SHA ref to checkout to ensure we
review the correct code.
Fixes workflow failure: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL