Run Claude review for external PRs safely (#123)

akseljoonas · web-flow · commit 4501d6981d41 · 2026-04-25T23:23:31.000+03:00
diff --git a/.github/workflows/claude-review.yml b/.github/workflows/claude-review.yml
@@ -1,8 +1,8 @@
 name: Claude PR Review
 
 on:
-  pull_request:
-    types: [opened, synchronize, ready_for_review]
+  pull_request_target:
+    types: [opened, synchronize, ready_for_review, reopened]
 
 permissions:
   contents: read
@@ -22,6 +22,10 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          # On pull_request_target, keep checkout on the trusted base-repo ref.
+          # The Claude action can review the PR via GitHub context/API without
+          # executing untrusted fork code with repository secrets.
+          persist-credentials: false
 
       - name: Compose review prompt
         id: compose
