From 623971eacd4d27175e8898c8e39fa12e1b032e8d Mon Sep 17 00:00:00 2001
From: Johannes Millan <johannes.millan@gmail.com>
Date: Wed, 21 Jan 2026 19:23:27 +0100
Subject: [PATCH] fix(ci): allow external contributors to trigger Claude Code
 review workflow

Add allowed_non_write_users parameter to bypass actor permission check for PRs from external contributors. This enables automated code reviews for all PRs, including those from forks, while maintaining security through pull_request_target context.
---
 .github/workflows/claude-code-review.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
index 5344192e4..882acec51 100644
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@@ -45,6 +45,9 @@ jobs:
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
           github_token: ${{ secrets.GITHUB_TOKEN }}
+          # Allow all PR authors regardless of repository permissions
+          # This is safe because pull_request_target runs in the base repo context
+          allowed_non_write_users: '*'
           # Allow common dependency management bots to trigger reviews
           allowed_bots: 'dependabot[bot],renovate[bot]'
           plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'