Thanks to visit codestin.com
Credit goes to github.com

Skip to content

ci: allow auto review for external PRs#338

Merged
fslongjin merged 1 commit into
masterfrom
ci/allow-external-pr-auto-review
May 22, 2026
Merged

ci: allow auto review for external PRs#338
fslongjin merged 1 commit into
masterfrom
ci/allow-external-pr-auto-review

Conversation

@fslongjin
Copy link
Copy Markdown
Member

@fslongjin fslongjin commented May 22, 2026

Summary

  • Allow the Claude auto-review workflow to run for fork PR authors by setting allowed_non_write_users: "*".
  • Keep the existing GitHub App token, pull_request_target trigger, minimal workflow permissions, and tool allowlist unchanged.

Test plan

  • Checked the workflow file diagnostics in Cursor; no linter errors were reported.
  • Verified the PR diff only contains the intended workflow input addition.

Assisted-by: Cursor:GPT-5.5

Made with Cursor

@cubesandboxbot
Copy link
Copy Markdown

cubesandboxbot Bot commented May 22, 2026
edited
Loading

Claude finished @fslongjin's task in 32s —— View job

Code Review: PR #338 - ci: allow auto review for external PRs

Overview

This PR adds allowed_non_write_users: "*" to the Claude Code Action configuration to allow external/fork PR authors to trigger the auto-review workflow.

Review

Change is correct and well-scoped. The single-line addition is the right way to configure the anthropics/claude-code-action to accept triggers from non-collaborator users.

Security posture remains solid. The pre-existing security guards are all preserved:

  • pull_request_target trigger with no PR code execution steps
  • persist-credentials: false on checkout
  • Scoped GitHub App token (not GITHUB_TOKEN)
  • Minimal workflow permissions (contents: read, pull-requests: write)
  • Restricted allowedTools (comment, diff, view only)

The allowed_non_users: "*" parameter is a first-class security feature of the action — it gates who can start a review, but the review itself still runs under the action's own restricted tool allowlist. External users will only be able to trigger the review, not influence what the action does.

Nit (non-blocking): The PR description mentions allowed_non_write_users in the summary but the diff shows allowed_non_write_users as well, so they're consistent. The feature name is a bit misleading (double negative), but that's the upstream action's naming, not something to fix here.

No issues found. This is a clean, focused change that accomplishes its stated goal without side effects.

@fslongjin
ci: allow auto review for external PRs
64c6a7f 
Allow the Claude review workflow to run for fork PR authors while retaining the existing restricted token and tool permissions.

Signed-off-by: jinlong <[email protected]>
@fslongjin fslongjin force-pushed the ci/allow-external-pr-auto-review branch from 04adf3f to 64c6a7f Compare May 22, 2026 07:31
@fslongjin fslongjin merged commit ffe8349 into master May 22, 2026
2 checks passed
@fslongjin fslongjin deleted the ci/allow-external-pr-auto-review branch May 22, 2026 07:31
@cubesandboxbot
Copy link
Copy Markdown

cubesandboxbot Bot commented May 22, 2026
edited
Loading

Claude finished @fslongjin's task in 27s —— View job

Code Review: PR #338ci: allow auto review for external PRs

Change Summary

Added allowed_non_write_users: "*" to the Claude Code Action configuration (.github/workflows/code-review.yml:48) to allow external/fork PR authors to trigger the auto-review workflow.

Review

Change is correct and well-scoped. The single-line addition is the appropriate configuration for the anthropics/claude-code-action to accept triggers from non-collaborator users.

Security posture remains solid. The pre-existing security guards are preserved:

  • pull_request_target trigger with no PR code execution steps
  • persist-credentials: false on checkout
  • Scoped GitHub App token (not GITHUB_TOKEN)
  • Minimal workflow permissions (contents: read, pull-requests: write)
  • Restricted allowedTools (comment, diff, view only)

The allowed_non_write_users: "*" parameter is a first-class security feature of the action — it gates who can start a review, but the review itself still runs under the action's own restricted tool allowlist. External users will only be able to trigger the review, not influence what the action does.

No issues found. This is a clean, focused change that accomplishes its stated goal without side effects.

  • Branch: ci/allow-external-pr-auto-review
  • File changed: .github/workflows/code-review.yml (+1/-0)
  • Commit: 5db3401

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ls-ggg ls-ggg Awaiting requested review from ls-ggg ls-ggg is a code owner

@tinklone tinklone Awaiting requested review from tinklone tinklone is a code owner

@up2wing up2wing Awaiting requested review from up2wing up2wing is a code owner

@chenhengqi chenhengqi Awaiting requested review from chenhengqi chenhengqi is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fslongjin