fix(ci): grant write permissions for fork PRs in Claude Code review

Change trigger from pull_request to pull_request_target to allow the workflow to run with write permissions even for external contributors. This fixes the "Actor has insufficient permissions" error. Also add condition to skip draft PRs to reduce API usage.
2026-01-23 02:36:05 +00:00 · 2026-01-19 14:43:26 +01:00 · 2026-01-19 14:43:26 +01:00 · 9e7a9ccdc9
commit 9e7a9ccdc9
parent cf317036de
1 changed files with 9 additions and 1 deletions
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@ -1,7 +1,12 @@
 name: Claude Code Review

+# Using pull_request_target to grant write permissions for fork PRs.
+# This is safe because:
+# 1. We use a trusted action from Anthropic
+# 2. The action only reads PR content and posts comments
+# 3. No code from the PR is executed
 on:
-  pull_request:
+  pull_request_target:
    types: [opened, synchronize, ready_for_review, reopened]
    # Optional: Only run on specific file changes
    # paths:
@ -18,6 +23,9 @@ jobs:
    #   github.event.pull_request.user.login == 'new-developer' ||
    #   github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'

+    # Skip draft PRs to reduce API usage
+    if: github.event.pull_request.draft == false
+
    runs-on: ubuntu-latest
    permissions:
      contents: read