From 46d888d39baed44c8013e637a7f8d4496123e8af Mon Sep 17 00:00:00 2001
From: Priyanshu Yashwant Deshmukh <priyanshudeshmukh4@gmail.com>
Date: Wed, 29 Oct 2025 19:13:27 +0530
Subject: [PATCH] fix: claude-code-review action for forked branches

---
 .github/workflows/claude-code-review.yml | 88 ++++++++++++++++++------
 1 file changed, 68 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
index 11ea49aadb7..b026a6acd19 100644
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@@ -7,12 +7,6 @@ on:
       - opened
       - synchronize
       - ready_for_review
-    # Optional: Only run on specific file changes
-    # paths:
-    #   - "src/**/*.ts"
-    #   - "src/**/*.tsx"
-    #   - "src/**/*.js"
-    #   - "src/**/*.jsx"
   # For PRs from forked repositories (secure path with secrets)
   pull_request_target:
     types:
@@ -21,14 +15,12 @@ on:
       - ready_for_review
 
 jobs:
-  claude-review:
-    # Skip draft PRs and prevent duplicate runs
+  # Job for same-repo PRs (can use OIDC if needed)
+  claude-review-same-repo:
     if: |
-      github.event.pull_request.draft == false &&
-      (
-        (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
-        (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository)
-      )
+      github.event_name == 'pull_request' &&
+      github.event.pull_request.head.repo.full_name == github.repository &&
+      github.event.pull_request.draft == false
 
     runs-on: ubuntu-latest
     permissions:
@@ -47,12 +39,65 @@ jobs:
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          if [ "${{ github.event_name }}" = "pull_request_target" ]; then
-            echo "⚠️  Forked PR detected - running in secure mode"
-            echo "PR from: ${{ github.event.pull_request.head.repo.full_name }}"
-            echo "Base repo: ${{ github.repository }}"
-          fi
+          echo "Checking out PR #${{ github.event.pull_request.number }}"
+          gh pr checkout ${{ github.event.pull_request.number }}
+          echo "✅ PR branch checked out successfully"
+
+      - name: Run Claude Code Review
+        id: claude-review
+        uses: anthropics/claude-code-action@v1
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          prompt: |
+            REPO: ${{ github.repository }}
+            PR NUMBER: ${{ github.event.pull_request.number }}
+
+            Please review this pull request and provide feedback on:
+            - Code quality and best practices
+            - Potential bugs or issues
+            - Performance considerations
+            - Security concerns
+            - Test coverage
+
+            # Steps to run a Review:
+              1) Check if previous review is already done by Claude. If so, perform a re-reivew with the latest changes referring previous review.
+              2) If no previous review is found, perform a new review with the latest changes.
+
+            Use the repository's CLAUDE.md for guidance on style and conventions. Be constructive and helpful in your feedback.
+
+            Use `gh pr comment` with your Bash tool to leave your review as a comment on the PR.
 
+          claude_args: '--allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"'
+
+  # Job for forked PRs (no OIDC, token-based only)
+  claude-review-forked:
+    if: |
+      github.event_name == 'pull_request_target' &&
+      github.event.pull_request.head.repo.full_name != github.repository &&
+      github.event.pull_request.draft == false
+
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: read
+      # Explicitly disable id-token to avoid OIDC flow
+
+    steps:
+      - name: Checkout repository (no credentials persisted)
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+          persist-credentials: false
+
+      - name: Checkout PR branch (forked PR)
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          echo "⚠️  Forked PR detected - running in secure mode"
+          echo "PR from: ${{ github.event.pull_request.head.repo.full_name }}"
+          echo "Base repo: ${{ github.repository }}"
           echo "Checking out PR #${{ github.event.pull_request.number }}"
           gh pr checkout ${{ github.event.pull_request.number }}
           echo "✅ PR branch checked out successfully"
@@ -61,6 +106,7 @@ jobs:
         id: claude-review
         uses: anthropics/claude-code-action@v1
         with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
           prompt: |
             REPO: ${{ github.repository }}
@@ -73,10 +119,12 @@ jobs:
             - Security concerns
             - Test coverage
 
+            # Steps to run a Review:
+              1) Check if previous review is already done by Claude. If so, perform a re-reivew with the latest changes referring previous review.
+              2) If no previous review is found, perform a new review with the latest changes.
+
             Use the repository's CLAUDE.md for guidance on style and conventions. Be constructive and helpful in your feedback.
 
             Use `gh pr comment` with your Bash tool to leave your review as a comment on the PR.
 
-          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
-          # or https://docs.claude.com/en/docs/claude-code/cli-reference for available options
           claude_args: '--allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"'