Skip to content

Add comprehensive fork PR support documentation and examples#614

Open
keithah wants to merge 1 commit intoanthropics:mainfrom
keithah:fork-pr-support
Open

Add comprehensive fork PR support documentation and examples#614
keithah wants to merge 1 commit intoanthropics:mainfrom
keithah:fork-pr-support

Conversation

@keithah
Copy link

@keithah keithah commented Oct 10, 2025
edited
Loading

This PR addresses multiple open issues related to fork PR support:

Summary

Fork PRs have been a persistent pain point for users. This PR provides comprehensive documentation and updated examples to make fork PR support work seamlessly for both @claude mentions and automated reviews.

Changes

📚 Documentation

New: docs/fork-pr-support.md

Comprehensive guide covering:

  • Two scenarios: @claude mentions vs automated reviews
  • Step-by-step solutions with clear explanations of why each fix works
  • Security considerations for pull_request_target
  • Complete working examples
  • Troubleshooting guide for common errors
  • Migration instructions for existing workflows
  • Comparison table: pull_request vs pull_request_target

Updated: docs/faq.md

  • Added "Fork Pull Requests" section
  • Common fork PR errors and solutions
  • Links to detailed fork PR support guide
  • Updated best practices

🔧 Example Workflows

All PR review examples updated to support fork PRs:

examples/claude.yml (@claude mentions)

  • Added fork detection step using GitHub API
  • Dynamically checkouts fork repository when needed
  • Works seamlessly for both fork and non-fork PRs

examples/pr-review-*.yml (Automated reviews)

Updated all three PR review examples:

  • Changed to pull_request_target trigger
  • Checkout fork repository correctly
  • Added github_token to bypass OIDC issues
  • Added allowed_non_write_users: '*' to allow fork contributors
  • Added security notes referencing fork PR documentation

Key Technical Fixes

Fix 1: @claude Mentions on Fork PRs

Problem: Fork branches don't exist in base repository

Solution: Detect fork PRs and checkout fork repository directly

- name: Get PR info for fork support
  run: |
    PR_DATA=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.issue.number }})
    # Extract fork info...

- uses: actions/checkout@v4
  with:
    repository: ${{ steps.pr-info.outputs.is_fork == 'true' && format('{0}/{1}', ...) || github.repository }}

Fix 2: Automated Reviews on Fork PRs

Problems:

  1. Branch not found (same as above)
  2. OIDC authentication fails with pull_request_target
  3. Fork contributors lack write permissions

Solution: Apply three fixes

on:
  pull_request_target:  # Required for fork write access

steps:
  - uses: actions/checkout@v4
    with:
      repository: ${{ github.event.pull_request.head.repo.full_name }}  # Fix 1
      ref: ${{ github.event.pull_request.head.ref }}

  - uses: anthropics/claude-code-action@v1
    with:
      github_token: ${{ secrets.GITHUB_TOKEN }}      # Fix 2: Bypass OIDC
      allowed_non_write_users: '*'                    # Fix 3: Allow fork contributors

Security Analysis

Using allowed_non_write_users: '*' is safe for review workflows because:

  • ✅ Reviews only read code and post comments (no code execution)
  • ✅ Uses pull_request_target (runs in base repo context, not fork)
  • ✅ No deployment or build steps with untrusted code
  • ✅ Standard pattern for PR review automation

The documentation clearly explains when this is safe vs unsafe.

Testing

Successfully tested on xbmc/xbmc repository:

  • @claude mentions working on fork PRs (PR #27089)
  • ✅ Automated reviews working on fork PRs from users without write access (PR #27339)
  • ✅ All three fixes verified working in production

Credits

Special thanks to @CryptoGnome whose aster_lick_hunter_node repository provided valuable insights for the fork repository checkout solution.

Migration Path

Users with existing workflows can follow the migration guide in docs/fork-pr-support.md to add fork support. The changes are backward compatible - non-fork PRs continue to work as before.

This should significantly improve the fork PR experience and close several long-standing issues! 🎉

Add comprehensive fork PR support documentation and examples
687452c 
This PR addresses multiple open issues related to fork PR support:
- anthropics#339 - Claude review fails on PRs from forks
- anthropics#542 - OIDC token errors on fork PRs
- anthropics#223 - "couldn't find remote ref" errors for fork PRs
- anthropics#46 - Wrong branch checkout for forked PRs

## Changes

### Documentation
- **New**: `docs/fork-pr-support.md` - Comprehensive guide covering:
  - Both @claude mention and automated review scenarios
  - Step-by-step solutions with explanations
  - Security considerations for pull_request_target
  - Complete working examples
  - Troubleshooting guide
  - Migration instructions

- **Updated**: `docs/faq.md` - Added fork PR section with:
  - Common fork PR errors and solutions
  - Links to detailed fork PR support guide

### Example Workflows
All PR review examples updated to support fork PRs:

- **`examples/claude.yml`** - Added fork detection for @claude mentions:
  - Dynamically detects fork PRs via GitHub API
  - Checks out fork repository when needed
  - Works for both fork and non-fork PRs

- **`examples/pr-review-comprehensive.yml`** - Updated for automated reviews:
  - Changed to `pull_request_target` trigger
  - Checkouts fork repository correctly
  - Added `github_token` to bypass OIDC issues
  - Added `allowed_non_write_users: '*'` for fork contributors

- **`examples/pr-review-filtered-authors.yml`** - Same fork PR fixes
- **`examples/pr-review-filtered-paths.yml`** - Same fork PR fixes

## Key Fixes

### Fix 1: @claude Mentions on Fork PRs
Fork branches don't exist in base repo, so we detect forks and checkout fork repository directly using `actions/checkout` with dynamic repository parameter.

### Fix 2: Automated Reviews on Fork PRs
Requires three changes:
1. Checkout fork repository: `repository: ${{ github.event.pull_request.head.repo.full_name }}`
2. Bypass OIDC: `github_token: ${{ secrets.GITHUB_TOKEN }}`
3. Allow fork contributors: `allowed_non_write_users: '*'`

## Credits

Special thanks to @CryptoGnome whose aster_lick_hunter_node repository provided valuable insights for the fork repository checkout solution.

## Testing

Successfully tested on xbmc/xbmc repository:
- @claude mentions working on fork PRs
- Automated reviews working on fork PRs from users without write access
- Example: xbmc/xbmc#27339 (comment)
@jrgilman
Copy link

jrgilman commented Oct 20, 2025

Any news on this?

yangm2 added a commit to yangm2/tenantfirstaid that referenced this pull request Nov 11, 2025
@yangm2
try fix from anthropics/claude-code-action#614
0058662
yangm2 added a commit to yangm2/tenantfirstaid that referenced this pull request Nov 12, 2025
@yangm2
try fix from anthropics/claude-code-action#614
da0f17c
yangm2 added a commit to codeforpdx/tenantfirstaid that referenced this pull request Nov 18, 2025
@yangm2
switch to Claude agent v1 with more project configuration (#210)
4d08c0d 
* switch to Claude agent v1 with more project configuration

* add an Infrastructure category

* try fix from anthropics/claude-code-action#614

* um not sure if this will help

* broken due to some comment permission issue ... defer

* fix typo

* stay on Python 3.13 for now; don't build dependencies

* allow dependency builds

* try applying fork support fixes again
@Tennyx Tennyx mentioned this pull request Nov 24, 2025
Merged
dirvine added a commit to saorsa-labs/saorsa-node that referenced this pull request Jan 28, 2026
@dirvine @claude
fix: use fork with PR #614 fix for fork PR support
a761be3 
The official claude-code-action@v1 has a bug (#223) where it fails to
checkout PRs from forks. PR #614 fixes this but isn't merged yet.

Using keithah/claude-code-action@fork-pr-support as a temporary workaround
until the fix is merged into the main action.

Refs:
- anthropics/claude-code-action#223
- anthropics/claude-code-action#614

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
DouweM added a commit to pydantic/pydantic-ai that referenced this pull request Feb 5, 2026
@DouweM @claude
Support fork PRs in CI workflows and restrict @claude to maintainers
23c82d6 
- review.yml: Switch to pull_request_target trigger, checkout fork repo
  explicitly, use github_token to bypass OIDC, allow non-write users,
  remove make install (don't run untrusted code), block make/uv tools
- at-claude.yml: Add maintainer-only gate via author_association, add
  fork PR detection and checkout, upgrade actions/checkout to v6

Based on approach from anthropics/claude-code-action#614.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@teeohhem teeohhem mentioned this pull request Feb 19, 2026
Merged
kodiakhq bot pushed a commit to hyperdxio/hyperdx that referenced this pull request Feb 19, 2026
@teeohhem
fix: allow claude PR review for all contributors (#1762)
90a733a 
Known limitation from the official workflow. See anthropics/claude-code-action#614 for inspiration for this change.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

2 participants

@keithah @jrgilman