[WIP] Fix GitHub Actions job failure in claude-code-review.yml

[Copilot]

• Add if: guard to claude-review job in .github/workflows/claude-code-review.yml to skip on fork PRs

Original prompt

Create a PR that fixes the failing GitHub Actions job in run https://github.com/ziembor/gomailtesttool/actions/runs/25236018071/job/74002302380?pr=61.

Failure summary (from job logs): the anthropics/claude-code-action@v1 step fails during OIDC/app token exchange with 401 Unauthorized - User does not have write access on this repository.

Repository: ziembor/gomailtesttool
Workflow file: .github/workflows/claude-code-review.yml

Implement a safe fix so the workflow does not fail on fork PRs / contexts without write permissions.

Requirements:

• Keep the workflow trigger as pull_request.
• Add a job-level if: guard so the job runs only when the PR head repo is the same as the base repo (i.e., not a fork): github.event.pull_request.head.repo.full_name == github.repository.
• Preserve existing step configuration and permissions unless changes are necessary for correctness.
• Ensure the workflow file remains valid YAML and continues to run for same-repo PRs.

Deliverables:

• Commit the change on a branch and open a pull request against main.
• PR title should clearly indicate it fixes the Claude Code Review workflow failing on fork PRs.

Reference: Use commit ref from the failing job logs: 14fabff4cd2858db36f44e5aa6a3cf7c9137ec6d for any code links in discussion if needed.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: Please find a solution for this failing job. Use the logs, job definition, and any referenced files where the failure occurred. Keep your response focused on the solution and include code suggestions when appropriate.

Assistant: The job is failing before it ever gets to reviewing code. It dies while trying to exchange the OIDC token for an “app token”:

• 401 Unauthorized - User does not have write access on this repository
• then the workflow ends with Action failed with error: User does not have write access on this repository

This is a permissions/token-scope issue, not a code/test failure in your repo.

Why it’s happening

Your workflow runs on pull_request and uses anthropics/claude-code-action@v1 with id-token: write:

permissions:
  contents: read
  pull-requests: read
  issues: read
  id-token: write

The Claude action then attempts an authenticated operation that requires write access to the repo (or it requires a token that can perform write actions). On PRs—especially from forks—GitHub deliberately restricts token permissions, and OIDC/app-token exchanges commonly fail if the actor/token doesn’t have sufficient repo write rights.

Fix options (pick one)

Option A (recommended): Don’t run this workflow on untrusted PRs / forks

Gate the job so it only runs when the PR comes from the same repository (not a fork), and ideally when the author is trusted.

Add an if condition to the job:

jobs:
  claude-review:
    if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: read
      issues: read
      id-token: write

If you also want to restrict to members/collaborators:

if: |
  github.event.pull_request.head.repo.full_name == github.repository &&
  (github.event.pull_request.author_association == 'OWNER' ||
   github.event.pull_request.author_association == 'MEMBER' ||
   github.event.pull_request.author_association == 'COLLABORATOR')

This avoids the “no write access” situation that occurs for fork PRs.

Option B: Switch to pull_request_target (only if you understand the security implications)

pull_request_target runs in the context of the base repo (so tokens/permissions work), but it can be dangerous if you check out and execute untrusted PR code.

If you do this, do not run arbitrary code from the PR. For a review bot that only comments/diffs, it can be acceptable.

Change:

on:
  pull_request:
    types: [opened, synchronize]

to:

on:
  pull_request_target:
    types: [opened, synchronize]

And keep checkout safe (checkout the base repo by default, or be very deliberate about what you fetch). If you need the PR diff, use gh pr diff (as your prompt already suggests) rather than executing PR code.

Option C: Ensure the Claude OAuth token is correct and has the required access

Your step uses:

with:
  claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

If that secret is missing on fork PRs (common) or not authorized for this repo, the action may fall back to an OIDC/app-token path and then fail with the “no write access” error you see. Ensure:

• CLAUDE_CODE_OAUTH_TOKEN is set in repo secrets
• it’s available for the event you’re using (fork PRs generally won’t get repo secrets)
• the token/app installation backing that token has access to ziembor/gomailtesttool

In practice, Option A or B is usually still necessary because secrets won’t be exposed to fork PRs.

Minim...

This pull request was created from Copilot chat.