From 9e7a9ccdc9d91f4a4fe344bc887edd85358d36f0 Mon Sep 17 00:00:00 2001
From: Johannes Millan <johannes.millan@gmail.com>
Date: Mon, 19 Jan 2026 14:43:26 +0100
Subject: [PATCH] fix(ci): grant write permissions for fork PRs in Claude Code
 review

Change trigger from pull_request to pull_request_target to allow the
workflow to run with write permissions even for external contributors.
This fixes the "Actor has insufficient permissions" error.

Also add condition to skip draft PRs to reduce API usage.
---
 .github/workflows/claude-code-review.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
index 4eb2ef02b..4cc22de1c 100644
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@@ -1,7 +1,12 @@
 name: Claude Code Review
 
+# Using pull_request_target to grant write permissions for fork PRs.
+# This is safe because:
+# 1. We use a trusted action from Anthropic
+# 2. The action only reads PR content and posts comments
+# 3. No code from the PR is executed
 on:
-  pull_request:
+  pull_request_target:
     types: [opened, synchronize, ready_for_review, reopened]
     # Optional: Only run on specific file changes
     # paths:
@@ -18,6 +23,9 @@ jobs:
     #   github.event.pull_request.user.login == 'new-developer' ||
     #   github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
 
+    # Skip draft PRs to reduce API usage
+    if: github.event.pull_request.draft == false
+
     runs-on: ubuntu-latest
     permissions:
       contents: read