Skip to content

Skip Claude review for fork PRs#14

Merged
jonathangreen merged 2 commits into
mainfrom
skip-fork-claude-review
Jun 11, 2026
Merged

Skip Claude review for fork PRs#14
jonathangreen merged 2 commits into
mainfrom
skip-fork-claude-review

Conversation

@jonathangreen

@jonathangreen jonathangreen commented Jun 11, 2026

Copy link
Copy Markdown
Member

Description

Add a same-repository guard to the review job's if condition in the reusable Claude PR review workflow so it only runs for PRs whose head branch lives in the base repository. Fork PRs are now skipped instead of failing.

Motivation and Context

For the pull_request event, GitHub runs fork-originated PRs with a read-only GITHUB_TOKEN and withholds secrets, as a security measure against untrusted code. Under those restrictions the claude-code-action cannot mint an OIDC token (the job's id-token: write is capped to read for forks) and has no CLAUDE_CODE_OAUTH_TOKEN, so the review job fails with Could not fetch an OIDC token.

Example failure on a fork PR: https://github.com/ThePalaceProject/circulation/actions/runs/27349076847/job/80808321565

Rather than have every consumer of this reusable workflow see a failing required-looking check on fork PRs, skip the job cleanly for forks. Same-repo branch PRs are unaffected. Fork support can be added later via a different trigger (e.g. pull_request_target or a label gate), which carries its own security tradeoffs.

How Has This Been Tested?

Not yet run in CI. The if expression uses standard GitHub Actions context fields (github.event.pull_request.head.repo.full_name vs github.repository); a fork PR evaluates the condition to false (job skipped) and a same-repo PR evaluates to true (job runs), preserving the existing dependabot exclusion.

Checklist

  • I have updated the documentation accordingly.
  • All new and existing tests passed.

@jonathangreen
Skip Claude review for fork PRs
6b58af0 
Fork PRs run with a read-only GITHUB_TOKEN and no access to secrets, so the
claude-code-action can't mint an OIDC token or authenticate, and the job
fails. Gate the review job on the PR head being in the same repository so
fork PRs are skipped cleanly instead of failing.
@claude

claude Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown

Claude finished @jonathangreen's task in 1m 13s —— View job

Code Review

  • Gather context (workflow file, README, diff)
  • Review the if condition change for correctness
  • Review comment and README accuracy
  • Check for edge cases / bugs

Summary

The change is correct, minimal, and well-reasoned. The added guard github.event.pull_request.head.repo.full_name == github.repository evaluates to false for fork PRs (head repo is the fork's full name) and true for same-repo branch PRs, which cleanly skips forks before they hit the OIDC/secret failure described in the PR. The existing Dependabot exclusion is preserved since Dependabot branches live in the base repo (so full_name matches and the second clause still applies). Comparing head.repo.full_name to github.repository is the standard, robust idiom for this check, and because the workflow still triggers on the pull_request event the job is reported as skipped (treated as passing by branch protection) rather than left pending — exactly the outcome the PR is after. The README and inline comment accurately describe the new behavior. No actionable issues found.

@jonathangreen jonathangreen merged commit 5e3be28 into main Jun 11, 2026
4 checks passed
@jonathangreen jonathangreen deleted the skip-fork-claude-review branch June 11, 2026 13:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jonathangreen