diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
index 25f4ad1..e542d5f 100644
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@@ -12,11 +12,13 @@ on:
 
 jobs:
   claude-review:
-    # Optional: Filter by PR author
-    # if: |
-    #   github.event.pull_request.user.login == 'external-contributor' ||
-    #   github.event.pull_request.user.login == 'new-developer' ||
-    #   github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
+    # Skip on fork PRs. GitHub Actions does not pass repository secrets
+    # (``CLAUDE_CODE_OAUTH_TOKEN``) or emit OIDC tokens for ``pull_request``
+    # workflows triggered by forks — the action fails with
+    # "Could not fetch an OIDC token" no matter what. Skipping here keeps
+    # fork-PR check rollups clean; maintainers can still trigger a review
+    # manually via ``claude.yml`` (the @claude mention workflow).
+    if: github.event.pull_request.head.repo.fork == false
 
     runs-on: ubuntu-latest
     permissions: