Add Claude Code GitHub Workflow

[sbryngelson]

User description

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

• Bug fixes and improvements
• Documentation updates
• Implementing new features
• Code reviews and suggestions
• Writing tests
• And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

• This workflow won't take effect until this PR is merged
• @claude mentions won't work until after the merge is complete
• The workflow runs automatically whenever Claude is mentioned in PR or issue comments
• Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

• Our Anthropic API key is securely stored as a GitHub Actions secret
• Only users with write access to the repository can trigger the workflow
• All Claude runs are stored in the GitHub Actions run history
• Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
• We can add more allowed tools by adding them to the workflow file like:

allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

---

CodeAnt-AI Description

Add GitHub workflows to run Claude Code for PRs, comments, and issues

What Changed

• New workflow runs an automated Claude Code review when pull requests are opened, updated, reopened, or marked ready for review
• New workflow triggers Claude when someone mentions @claude in issue comments, PR review comments, PR review bodies, or issue titles/bodies
• Claude can read CI results (when allowed) and posts actions based on repository context; the workflows use a repository secret for the Claude OAuth token

Impact

✅ Automated PR reviews run on open/update events
✅ AI responses available via @claude mentions in issues and comments
✅ AI reviews can include CI context when permission is granted

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

Summary by CodeRabbit

• New Features

  • Introduced automated code review workflow that analyzes pull requests with Claude AI, providing intelligent feedback on each submission.
  • Introduced interactive workflow enabling Claude-powered development assistance when mentioned in pull request reviews, comments, and issue discussions.

• Chores

  • Configured GitHub Actions workflows for enhanced code quality and developer productivity.

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[coderabbitai]

Warning

Rate limit exceeded

@sbryngelson has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 21 minutes and 5 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📝 Walkthrough

Walkthrough

Two new GitHub Actions workflows are introduced to integrate Claude AI code review capabilities. The first workflow (claude-code-review.yml) automatically triggers Claude code reviews on pull request lifecycle events, while the second (claude.yml) enables Claude assistance when explicitly invoked with @claude mentions in comments and reviews.

Changes

Cohort / File(s)

Summary

GitHub Actions Workflows .github/workflows/claude-code-review.yml, .github/workflows/claude.yml

Introduces two new AI-powered workflow integrations. First workflow automatically runs Claude code reviews on PR events (opened, synchronize, ready_for_review, reopened) with read permissions for contents, pull-requests, and issues. Second workflow enables Claude assistance triggered by @claude mentions in comments or reviews. Both workflows use anthropics/claude-code-action@v1 action with CLAUDE_CODE_OAUTH_TOKEN secret, plugin marketplace configuration, and appropriate permission scopes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Suggested labels

size:S

Poem

🐰 A bunny hops with glee,
Claude now reviews with AI spree,
Pull requests flow, feedback grows,
With @claude's help, the code just glows,
Automation hops to victory! 🚀

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description deviates from the template structure with extensive custom content instead of following required sections like Type of change, Testing, and Checklist.	Reformat the description to follow the template structure: add a Type of change section, Testing section, and Checklist with appropriate items marked.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the main change: adding Claude Code GitHub workflows to the repository.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch add-claude-github-actions-1771783749004

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[Copilot]

Pull request overview

This PR adds GitHub Actions workflows to enable Claude Code AI agent integration in the MFC repository. Claude Code can be invoked by mentioning @claude in PR/issue comments and will perform automated tasks like bug fixes, reviews, documentation updates, and feature implementation.

Changes:

• Adds interactive Claude Code workflow triggered by @claude mentions in comments and reviews
• Adds automatic Claude Code Review workflow that runs on all new/updated pull requests

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
.github/workflows/claude.yml	Interactive Claude Code workflow triggered by @claude mentions in PR/issue comments and reviews
.github/workflows/claude-code-review.yml	Automatic Claude Code Review workflow for all PRs

Comments suppressed due to low confidence (5)

.github/workflows/claude.yml:12

• The workflow is missing a concurrency group configuration. All other similar workflows in this repository (test.yml, bench.yml, cleanliness.yml, etc.) define concurrency groups to prevent multiple simultaneous runs from the same ref, which avoids wasted resources and conflicting executions. Consider adding a concurrency section to prevent multiple Claude instances from running simultaneously on the same PR or issue.

name: Claude Code

on:
  issue_comment:
    types: [created]
  pull_request_review_comment:
    types: [created]
  issues:
    types: [opened, assigned]
  pull_request_review:
    types: [submitted]

.github/workflows/claude-code-review.yml:11

• The commented example paths reference TypeScript and JavaScript files (src//*.ts, src//.tsx, src/**/.js, src//*.jsx), which are not relevant to MFC's Fortran codebase. If path filtering is needed for this project, the paths should reference MFC's actual source structure such as src//.fpp, src/**/.f90, toolchain//*.py, examples//.py, or docs/**/.md to match the project's actual file types.

    # Optional: Only run on specific file changes
    # paths:
    #   - "src/**/*.ts"
    #   - "src/**/*.tsx"
    #   - "src/**/*.js"
    #   - "src/**/*.jsx"

.github/workflows/claude-code-review.yml:12

• The workflow is missing a concurrency group configuration. All other similar workflows in this repository (test.yml, bench.yml, cleanliness.yml, etc.) define concurrency groups to prevent multiple simultaneous runs and manage resource usage efficiently. Consider adding a concurrency section to prevent multiple Claude review instances from running simultaneously on the same PR.

name: Claude Code Review

on:
  pull_request:
    types: [opened, synchronize, ready_for_review, reopened]
    # Optional: Only run on specific file changes
    # paths:
    #   - "src/**/*.ts"
    #   - "src/**/*.tsx"
    #   - "src/**/*.js"
    #   - "src/**/*.jsx"

.github/workflows/claude.yml:32

• MFC's toolchain requires Python 3.10+ and the workflows should run './mfc.sh init' before attempting any operations, as seen in other workflows (formatting.yml, lint-toolchain.yml, test.yml). However, this workflow checks out with fetch-depth: 1 and doesn't initialize the MFC toolchain. If Claude Code needs to interact with MFC-specific commands (like './mfc.sh format', './mfc.sh lint', or './mfc.sh test'), the workflow should include a step to set up Python and run './mfc.sh init' after checkout.

      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 1

.github/workflows/claude-code-review.yml:32

• Similar to the main claude.yml workflow, if Claude Code Review needs to interact with MFC-specific commands (like './mfc.sh format', './mfc.sh lint', or './mfc.sh validate'), the workflow should include a step to set up Python and run './mfc.sh init' after checkout. All other MFC workflows initialize the toolchain before performing operations.

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 1

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

.github/workflows/claude-code-review.yml (1)

36-37: Same mutable @v1 tag concern as in claude.yml — pin to a commit SHA.

🔒 Proposed fix

-        uses: anthropics/claude-code-action@v1
+        uses: anthropics/claude-code-action@<full-commit-sha>  # v1

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude-code-review.yml around lines 36 - 37, The workflow
currently pins the action with a mutable tag "uses:
anthropics/claude-code-action@v1"; replace this with an immutable commit SHA for
the action (e.g., "uses: anthropics/claude-code-action@<commit-sha>") so the run
is reproducible and secure, updating the same pattern wherever
"anthropics/claude-code-action@v1" appears (including other workflow files like
claude.yml) and verify the chosen commit SHA corresponds to the desired action
release before committing.

.github/workflows/claude.yml (1)

35-37: Pin the action to a specific commit SHA to avoid supply-chain risk.

anthropics/claude-code-action@v1 is a mutable floating tag. A compromised or inadvertent push to that tag would execute untrusted code in this workflow with id-token: write and contents: read access.

🔒 Proposed fix: pin to a commit SHA

-        uses: anthropics/claude-code-action@v1
+        uses: anthropics/claude-code-action@<full-commit-sha>  # v1

Run gh release view v1 --repo anthropics/claude-code-action --json targetCommitish to get the exact SHA.

Additionally, confirm that the Claude GitHub App is installed on this repo (https://github.com/apps/claude) and that the CLAUDE_CODE_OAUTH_TOKEN Actions secret is populated — the Claude GitHub App must be installed and authentication credentials added to your repository secrets before the workflow can function.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude.yml around lines 35 - 37, Replace the floating tag
"anthropics/claude-code-action@v1" with the specific commit SHA for that release
(e.g., "anthropics/claude-code-action@<commit-sha>") to pin the action; obtain
the SHA via the repository release metadata (e.g., using "gh release view v1
--repo anthropics/claude-code-action --json targetCommitish") and update the
workflow entry that references claude_code_oauth_token/CLAUDE_CODE_OAUTH_TOKEN
accordingly, and then verify the Claude GitHub App is installed on the repo and
that the CLAUDE_CODE_OAUTH_TOKEN Actions secret is present and correct.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/claude-code-review.yml:
- Around line 4-5: The pull_request workflow currently triggers on the
synchronize event which causes a Claude review on every commit; update the
pull_request trigger (the pull_request key and its types array) to remove
"synchronize" or replace it with a more selective setup: either limit to only
["opened","ready_for_review","reopened"] or add a paths: filter (or enable the
commented author filter) so only meaningful PRs or specific files/authors invoke
the workflow; modify the types array and/or add a paths or author filter
accordingly to reduce redundant runs.
- Around line 13-19: The workflow job claude-review runs on pull_request and
expects the secret CLAUDE_CODE_OAUTH_TOKEN, but secrets are not available for
forked PRs causing auth failures; add a fork-guard conditional to the job (e.g.,
on the claude-review job add an if: that checks the PR head repo equals the base
repo such as comparing github.event.pull_request.head.repo.full_name to
github.repository or similar) so the job is skipped for forked PRs and won’t
attempt to use CLAUDE_CODE_OAUTH_TOKEN for external contributions.

---

Nitpick comments:
In @.github/workflows/claude-code-review.yml:
- Around line 36-37: The workflow currently pins the action with a mutable tag
"uses: anthropics/claude-code-action@v1"; replace this with an immutable commit
SHA for the action (e.g., "uses: anthropics/claude-code-action@<commit-sha>") so
the run is reproducible and secure, updating the same pattern wherever
"anthropics/claude-code-action@v1" appears (including other workflow files like
claude.yml) and verify the chosen commit SHA corresponds to the desired action
release before committing.

In @.github/workflows/claude.yml:
- Around line 35-37: Replace the floating tag "anthropics/claude-code-action@v1"
with the specific commit SHA for that release (e.g.,
"anthropics/claude-code-action@<commit-sha>") to pin the action; obtain the SHA
via the repository release metadata (e.g., using "gh release view v1 --repo
anthropics/claude-code-action --json targetCommitish") and update the workflow
entry that references claude_code_oauth_token/CLAUDE_CODE_OAUTH_TOKEN
accordingly, and then verify the Claude GitHub App is installed on the repo and
that the CLAUDE_CODE_OAUTH_TOKEN Actions secret is present and correct.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

synchronize trigger fires Claude review on every commit push to any open PR.

Without a path or author filter, each new commit pushed to a PR (including fixup commits) triggers a full Claude review run. For an active repo this can generate significant API costs and redundant review noise. Consider scoping with the paths: filter or limiting to meaningful events like opened and ready_for_review only, or use the commented-out author filter to restrict to specific contributors.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude-code-review.yml around lines 4 - 5, The
pull_request workflow currently triggers on the synchronize event which causes a
Claude review on every commit; update the pull_request trigger (the pull_request
key and its types array) to remove "synchronize" or replace it with a more
selective setup: either limit to only ["opened","ready_for_review","reopened"]
or add a paths: filter (or enable the commented author filter) so only
meaningful PRs or specific files/authors invoke the workflow; modify the types
array and/or add a paths or author filter accordingly to reduce redundant runs.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Missing fork PR guard will cause authentication failures for every external contributor.

The pull_request event does not pass repository secrets to fork-sourced PRs. CLAUDE_CODE_OAUTH_TOKEN will be an empty string for any PR opened from a fork, causing the workflow to fail with an auth error on every external contribution. MFC is an open-source project, so this will be the common case.

🐛 Proposed fix: add a fork guard to the job

 jobs:
   claude-review:
+    if: github.event.pull_request.head.repo.full_name == github.repository
     # Optional: Filter by PR author

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude-code-review.yml around lines 13 - 19, The workflow
job claude-review runs on pull_request and expects the secret
CLAUDE_CODE_OAUTH_TOKEN, but secrets are not available for forked PRs causing
auth failures; add a fork-guard conditional to the job (e.g., on the
claude-review job add an if: that checks the PR head repo equals the base repo
such as comparing github.event.pull_request.head.repo.full_name to
github.repository or similar) so the job is skipped for forked PRs and won’t
attempt to use CLAUDE_CODE_OAUTH_TOKEN for external contributions.

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/claude-code-review.yml">

<violation number="1" location=".github/workflows/claude-code-review.yml:24">
P1: Elevating `pull-requests` to `write` without a fork PR guard will cause authentication failures for every external contributor. The `pull_request` event does not pass repository secrets to fork-sourced PRs, so `CLAUDE_CODE_OAUTH_TOKEN` will be empty for any PR opened from a fork — the common case for an open-source project like MFC. Add an `if` condition on the job to skip fork PRs:

```yaml
jobs:
  claude-review:
    if: github.event.pull_request.head.repo.full_name == github.repository
```</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P1: Elevating pull-requests to write without a fork PR guard will cause authentication failures for every external contributor. The pull_request event does not pass repository secrets to fork-sourced PRs, so CLAUDE_CODE_OAUTH_TOKEN will be empty for any PR opened from a fork — the common case for an open-source project like MFC. Add an if condition on the job to skip fork PRs:

jobs:
  claude-review:
    if: github.event.pull_request.head.repo.full_name == github.repository

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/claude-code-review.yml, line 24:

<comment>Elevating `pull-requests` to `write` without a fork PR guard will cause authentication failures for every external contributor. The `pull_request` event does not pass repository secrets to fork-sourced PRs, so `CLAUDE_CODE_OAUTH_TOKEN` will be empty for any PR opened from a fork — the common case for an open-source project like MFC. Add an `if` condition on the job to skip fork PRs:

```yaml
jobs:
  claude-review:
    if: github.event.pull_request.head.repo.full_name == github.repository
```</comment>

<file context>
@@ -21,7 +21,7 @@ jobs:
     permissions:
       contents: read
-      pull-requests: read
+      pull-requests: write
       issues: read
       id-token: write
</file context>

[cubic-dev-ai]

5 issues found across 2 files

Confidence score: 2/5

• High-severity workflow misconfigurations in .github/workflows/claude-code-review.yml (missing/incorrect triggers, prompt handling) will prevent Claude from responding to comment-based requests as intended.
• Insufficient permissions in .github/workflows/claude.yml and .github/workflows/claude-code-review.yml block comment/branch/commit creation, making the automation fail for its core use cases.
• Forked PRs will consistently fail due to secrets not being available on pull_request, which is a concrete, user-facing failure for open-source contributors.
• Pay close attention to .github/workflows/claude-code-review.yml and .github/workflows/claude.yml - workflow triggers/permissions and fork-secret access need adjustment.

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/claude-code-review.yml">

<violation number="1" location=".github/workflows/claude-code-review.yml:5">
P1: Add `issue_comment` and `pull_request_review_comment` triggers to allow the workflow to run on comments as described in the PR.</violation>

<violation number="2" location=".github/workflows/claude-code-review.yml:14">
P1: This workflow will fail with an authentication error on every PR opened from a fork, because the `pull_request` event does not expose repository secrets to fork-sourced workflows. Since this is an open-source project, fork PRs are the common case. Add a fork guard condition to skip the job for external contributions.</violation>

<violation number="3" location=".github/workflows/claude-code-review.yml:23">
P1: Change permissions to `write` so Claude can create comments, commits, and branches as intended.</violation>

<violation number="4" location=".github/workflows/claude-code-review.yml:41">
P0: Remove or conditionally apply the `prompt` input so Claude can respond to `@claude` mentions as intended in the PR.</violation>
</file>

<file name=".github/workflows/claude.yml">

<violation number="1" location=".github/workflows/claude.yml:22">
P0: The workflow requires write permissions to create comments, branches, and commits.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P0: Remove or conditionally apply the prompt input so Claude can respond to @claude mentions as intended in the PR.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/claude-code-review.yml, line 41:

<comment>Remove or conditionally apply the `prompt` input so Claude can respond to `@claude` mentions as intended in the PR.</comment>

<file context>
@@ -0,0 +1,44 @@
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
+          plugins: 'code-review@claude-code-plugins'
+          prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'
+          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
+          # or https://code.claude.com/docs/en/cli-reference for available options
</file context>

[cubic-dev-ai]

P0: The workflow requires write permissions to create comments, branches, and commits.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/claude.yml, line 22:

<comment>The workflow requires write permissions to create comments, branches, and commits.</comment>

<file context>
@@ -0,0 +1,50 @@
+      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      issues: read
</file context>

[cubic-dev-ai]

P1: Change permissions to write so Claude can create comments, commits, and branches as intended.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/claude-code-review.yml, line 23:

<comment>Change permissions to `write` so Claude can create comments, commits, and branches as intended.</comment>

<file context>
@@ -0,0 +1,44 @@
+
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      issues: read
</file context>

[cubic-dev-ai]

P1: Add issue_comment and pull_request_review_comment triggers to allow the workflow to run on comments as described in the PR.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/claude-code-review.yml, line 5:

<comment>Add `issue_comment` and `pull_request_review_comment` triggers to allow the workflow to run on comments as described in the PR.</comment>

<file context>
@@ -0,0 +1,44 @@
+
+on:
+  pull_request:
+    types: [opened, synchronize, ready_for_review, reopened]
+    # Optional: Only run on specific file changes
+    # paths:
</file context>

[cubic-dev-ai]

P1: This workflow will fail with an authentication error on every PR opened from a fork, because the pull_request event does not expose repository secrets to fork-sourced workflows. Since this is an open-source project, fork PRs are the common case. Add a fork guard condition to skip the job for external contributions.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/claude-code-review.yml, line 14:

<comment>This workflow will fail with an authentication error on every PR opened from a fork, because the `pull_request` event does not expose repository secrets to fork-sourced workflows. Since this is an open-source project, fork PRs are the common case. Add a fork guard condition to skip the job for external contributions.</comment>

<file context>
@@ -0,0 +1,44 @@
+    #   - "src/**/*.jsx"
+
+jobs:
+  claude-review:
+    # Optional: Filter by PR author
+    # if: |
</file context>