fix: claude code review for forked branches (#2149)

priyansh4320 · marklysze · web-flow · commit 3a7aa79504d1 · 2025-10-21T19:38:11.000Z
Co-authored-by: Mark Sze &lt;66362098+marklysze@users.noreply.github.com&gt;
diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
@@ -1,26 +1,22 @@
 name: Claude Code Review
 
 on:
+  # For PRs from the same repository (fast path)
   pull_request:
     types: [opened, synchronize]
-    # Optional: Only run on specific file changes
-    # paths:
-    #   - "src/**/*.ts"
-    #   - "src/**/*.tsx"
-    #   - "src/**/*.js"
-    #   - "src/**/*.jsx"
+  # For PRs from forked repositories (secure path with secrets)
+  pull_request_target:
+    types: [opened, synchronize]
 
 jobs:
   claude-review:
-    # Skip draft PRs
-    if: github.event.pull_request.draft == false
-
-    # Optional: Filter by PR author
-    # if: |
-    #   github.event.pull_request.draft == false &&
-    #   (github.event.pull_request.user.login == 'external-contributor' ||
-    #   github.event.pull_request.user.login == 'new-developer' ||
-    #   github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR')
+    # Skip draft PRs and prevent duplicate runs
+    if: |
+      github.event.pull_request.draft == false &&
+      (
+        (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
+        (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository)
+      )
 
     runs-on: ubuntu-latest
     permissions:
@@ -35,6 +31,20 @@ jobs:
         with:
           fetch-depth: 1
 
+      - name: Checkout PR branch
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if [ "${{ github.event_name }}" = "pull_request_target" ]; then
+            echo "⚠️  Forked PR detected - running in secure mode"
+            echo "PR from: ${{ github.event.pull_request.head.repo.full_name }}"
+            echo "Base repo: ${{ github.repository }}"
+          fi
+
+          echo "Checking out PR #${{ github.event.pull_request.number }}"
+          gh pr checkout ${{ github.event.pull_request.number }}
+          echo "✅ PR branch checked out successfully"
+
       - name: Run Claude Code Review
         id: claude-review
         uses: anthropics/claude-code-action@v1
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
@@ -30,6 +30,35 @@ jobs:
         with:
           fetch-depth: 1
 
+      - name: Checkout PR branch (if comment is on a PR)
+        if: github.event.issue.pull_request || github.event.pull_request
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if [ -n "${{ github.event.issue.number }}" ]; then
+            PR_NUMBER="${{ github.event.issue.number }}"
+          elif [ -n "${{ github.event.pull_request.number }}" ]; then
+            PR_NUMBER="${{ github.event.pull_request.number }}"
+          fi
+
+          if [ -n "$PR_NUMBER" ]; then
+            echo "Detected comment on PR #$PR_NUMBER"
+
+            # Check if it's a forked PR
+            PR_INFO=$(gh pr view $PR_NUMBER --json isCrossRepository,headRepositoryOwner 2>/dev/null || echo '{}')
+            IS_FORK=$(echo "$PR_INFO" | jq -r '.isCrossRepository // false')
+
+            if [ "$IS_FORK" = "true" ]; then
+              echo "⚠️  Forked PR detected - running in secure mode"
+              FORK_OWNER=$(echo "$PR_INFO" | jq -r '.headRepositoryOwner.login')
+              echo "PR from: $FORK_OWNER"
+            fi
+
+            echo "Checking out PR #$PR_NUMBER"
+            gh pr checkout $PR_NUMBER
+            echo "✅ PR branch checked out successfully"
+          fi
+
       - name: Run Claude Code
         id: claude
         uses: anthropics/claude-code-action@v1
@@ -39,11 +68,3 @@ jobs:
           # This is an optional setting that allows Claude to read CI results on PRs
           additional_permissions: |
             actions: read
-
-          # Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.
-          # prompt: 'Update the pull request description to include a summary of changes.'
-
-          # Optional: Add claude_args to customize behavior and configuration
-          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
-          # or https://docs.claude.com/en/docs/claude-code/cli-reference for available options
-          # claude_args: '--allowed-tools Bash(gh pr:*)'
