From 3d5082beace05bce2dba950cef00acf83c06e728 Mon Sep 17 00:00:00 2001 From: nicolotognoni Date: Mon, 25 May 2026 18:25:09 +0200 Subject: [PATCH] ci: skip Claude Code Review on fork PRs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit GitHub Actions does not pass repository secrets (`CLAUDE_CODE_OAUTH_TOKEN`) or emit OIDC tokens for `pull_request` workflows triggered by forks. The `anthropics/claude-code-action@v1` action consequently fails with "Could not fetch an OIDC token" every time an external contributor opens a PR, leaving a spurious red check on the rollup. Gate the job on `github.event.pull_request.head.repo.fork == false` so the workflow is skipped (not failed) for fork PRs. Maintainers can still trigger a code review manually by mentioning @claude in a comment — that path goes through `claude.yml` (`workflow_dispatch` / `issue_comment` triggers) which runs in the upstream repo's security context with access to secrets. No behaviour change for PRs opened from branches in the upstream repo. Refs PR #106 (Telnyx recording parity by external contributor) which surfaced the noise. --- .github/workflows/claude-code-review.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml index 25f4ad18..e542d5f4 100644 --- a/.github/workflows/claude-code-review.yml +++ b/.github/workflows/claude-code-review.yml @@ -12,11 +12,13 @@ on: jobs: claude-review: - # Optional: Filter by PR author - # if: | - # github.event.pull_request.user.login == 'external-contributor' || - # github.event.pull_request.user.login == 'new-developer' || - # github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR' + # Skip on fork PRs. GitHub Actions does not pass repository secrets + # (``CLAUDE_CODE_OAUTH_TOKEN``) or emit OIDC tokens for ``pull_request`` + # workflows triggered by forks — the action fails with + # "Could not fetch an OIDC token" no matter what. Skipping here keeps + # fork-PR check rollups clean; maintainers can still trigger a review + # manually via ``claude.yml`` (the @claude mention workflow). + if: github.event.pull_request.head.repo.fork == false runs-on: ubuntu-latest permissions: