From f0b958e1e4145df9c5cd1e1b588e6ef18c5885ea Mon Sep 17 00:00:00 2001
From: Max Isbey <224885523+maxisbey@users.noreply.github.com>
Date: Sat, 24 Jan 2026 15:51:57 +0000
Subject: [PATCH] ci: skip claude code review for fork PRs

Fork PRs cannot authenticate with the claude-code-action because:

1. The `pull_request` event from forks does not expose repository
   secrets or OIDC tokens (GitHub security restriction), so both
   `anthropic_api_key` and the GitHub App token exchange fail.

2. Switching to `pull_request_target` (which does have access to
   secrets and OIDC) also does not work because Anthropic's OIDC
   token exchange endpoint rejects `pull_request_target` event
   types (anthropics/claude-code-action#713).

Until the upstream action supports fork PRs, skip the review to
avoid noisy CI failures on every external contribution.
---
 .github/workflows/claude-code-review.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
index bb118402c..6238c5471 100644
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@@ -7,6 +7,9 @@ on:
 
 jobs:
   claude-review:
+    # Fork PRs don't have access to secrets or OIDC tokens, so the action
+    # cannot authenticate. See https://github.com/anthropics/claude-code-action/issues/339
+    if: github.event.pull_request.head.repo.fork == false
     runs-on: ubuntu-latest
     permissions:
       contents: read