From 6b58af055526cb226b805811f1ae227cedfcd4b3 Mon Sep 17 00:00:00 2001
From: Jonathan Green <jonathan@razzard.com>
Date: Thu, 11 Jun 2026 10:36:46 -0300
Subject: [PATCH 1/2] Skip Claude review for fork PRs

Fork PRs run with a read-only GITHUB_TOKEN and no access to secrets, so the
claude-code-action can't mint an OIDC token or authenticate, and the job
fails. Gate the review job on the PR head being in the same repository so
fork PRs are skipped cleanly instead of failing.
---
 .github/workflows/claude-review.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/claude-review.yml b/.github/workflows/claude-review.yml
index ae3c0b0..fccf20c 100644
--- a/.github/workflows/claude-review.yml
+++ b/.github/workflows/claude-review.yml
@@ -20,7 +20,12 @@ jobs:
   review:
     name: Claude Review
     runs-on: ubuntu-latest
-    if: github.event.pull_request.user.login != 'dependabot[bot]'
+    # Fork PRs run with a read-only token and no access to secrets, so the
+    # review can't authenticate. Skip them (along with dependabot) until fork
+    # support is added.
+    if: >-
+      github.event.pull_request.head.repo.full_name == github.repository &&
+      github.event.pull_request.user.login != 'dependabot[bot]'
     permissions:
       contents: read
       pull-requests: write

From 43a25ac53248e8f30d9bc7201afdf89f75122525 Mon Sep 17 00:00:00 2001
From: Jonathan Green <jonathan@razzard.com>
Date: Thu, 11 Jun 2026 10:43:51 -0300
Subject: [PATCH 2/2] Document that fork PRs are skipped in the README

---
 README.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 88a5ac0..b77e1b8 100644
--- a/README.md
+++ b/README.md
@@ -20,8 +20,10 @@ Pin to `vX.Y.Z` if you need an immutable reference.
 ### `claude-review`
 
 Runs Claude Code as a PR reviewer on `pull_request` events. The workflow owns
-its trigger filter (skips Dependabot), concurrency group, permissions, and
-review prompt — consumers just dispatch.
+its trigger filter (skips Dependabot and PRs from forks), concurrency group,
+permissions, and review prompt — consumers just dispatch. Fork PRs are skipped
+because they run with a read-only token and no access to secrets, so the review
+can't authenticate.
 
 ```yaml
 name: Claude PR Review