From d98324d82f222254990d8aa058b79d8c96e26ea8 Mon Sep 17 00:00:00 2001
From: diego <diego@sigmaprime.io>
Date: Wed, 11 Feb 2026 16:51:05 -0300
Subject: [PATCH] fix(ci): fix claude-pr-review failing on fork PRs

claude-code-action@v1 recently changed (PR #851) to fetch PR branches
via `git fetch origin pull/N/head:...` before calling configureGitAuth().
This requires origin to point to the base repo with a token that can
access fork PR refs.

Fix by:
- Removing fork-specific repository/ref overrides from checkout
- Generating the app token before checkout and passing it via token:

Cherry-pick of #827 and #828 from unstable.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/claude-pr-review.yml | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/claude-pr-review.yml b/.github/workflows/claude-pr-review.yml
index 7eaa658a1..8d3e9da70 100644
--- a/.github/workflows/claude-pr-review.yml
+++ b/.github/workflows/claude-pr-review.yml
@@ -60,14 +60,12 @@ jobs:
                     exit 0
                   fi
 
-            - name: Checkout repository
-              if: steps.check.outputs.is_member == 'true'
-              uses: actions/checkout@v4
-              with:
-                  repository: ${{ github.event.pull_request.head.repo.full_name }}
-                  ref: ${{ github.event.pull_request.head.ref }}
-                  fetch-depth: 0
-
+            # Generate the app token before checkout so it can be used for
+            # git operations. claude-code-action calls setupBranch() (which
+            # fetches PR refs via `git fetch origin pull/N/head:...`) before
+            # configureGitAuth(), so the token embedded in origin by
+            # actions/checkout must already have permission to fetch fork
+            # PR refs.
             - name: Generate GitHub App token
               if: steps.check.outputs.is_member == 'true'
               id: app-token
@@ -76,6 +74,12 @@ jobs:
                   app-id: ${{ vars.APP_ID }}
                   private-key: ${{ secrets.APP_PRIVATE_KEY }}
 
+            - name: Checkout repository
+              if: steps.check.outputs.is_member == 'true'
+              uses: actions/checkout@v4
+              with:
+                  token: ${{ steps.app-token.outputs.token }}
+
             - name: Configure AWS Credentials (OIDC)
               if: steps.check.outputs.is_member == 'true'
               uses: aws-actions/configure-aws-credentials@v4