Skip to content

ci: switch review workflow to pull_request_target for fork PRs #107

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
akseljoonas wants to merge 1 commit into from
+16 −5
Closed

ci: switch review workflow to pull_request_target for fork PRs #107

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 16 additions & 5 deletions .github/workflows/claude-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,12 @@
name: Claude PR Review

# Using pull_request_target (not pull_request) so fork PRs can access secrets
# and id-token. GitHub withholds both on the plain pull_request event for
# security. pull_request_target runs in the base repo context, so we must
# explicitly check out the PR's head SHA and read review rules from the base
# branch — never trust anything the PR controls.
on:
pull_request:
pull_request_target:
types: [opened, synchronize, ready_for_review]

permissions:
Expand All @@ -21,25 +26,31 @@ jobs:
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0

- name: Fetch REVIEW.md from base branch
run: |
git fetch origin "${{ github.event.pull_request.base.ref }}" --depth=1
git show "origin/${{ github.event.pull_request.base.ref }}:REVIEW.md" > .review-from-base.md 2>/dev/null || true

- name: Compose review prompt
id: compose
run: |
{
printf 'prompt<<PROMPT_EOF\n'
if [ -f REVIEW.md ]; then
echo '# Highest-priority review instructions (from REVIEW.md at the repo root)'
if [ -s .review-from-base.md ]; then
echo '# Highest-priority review instructions (from REVIEW.md on base branch)'
echo 'Follow these rules as the authoritative guide for this review. If anything'
echo 'below contradicts a more generic review habit, follow these.'
echo
cat REVIEW.md
cat .review-from-base.md
echo
echo '---'
echo
fi
cat <<'BASE'
Review this pull request against the main branch.
Review this pull request against the base branch.

Tag every finding with a priority label: P0 (blocks merge), P1 (worth
fixing, not blocking), or P2 (informational / pre-existing). Open the
Expand Down