Merge pull request #10531 from Roasbeef/claude-fix

workflows: fix Claude workflows for fork PRs and external contributors

Author: Roasbeef

.github/workflows/claude.yml

@@ -30,6 +30,18 @@ jobs:
         with:
           fetch-depth: 1
 
+      - name: Checkout PR branch (handles fork PRs)
+        if: github.event.issue.pull_request || github.event_name == 'pull_request_review_comment' || github.event_name == 'pull_request_review'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          if [ "${{ github.event_name }}" = "issue_comment" ]; then
+            PR_NUMBER=${{ github.event.issue.number }}
+          else
+            PR_NUMBER=${{ github.event.pull_request.number }}
+          fi
+          gh pr checkout "$PR_NUMBER"
+
       - name: Run Claude Code
         id: claude
         uses: anthropics/claude-code-action@v1

.github/workflows/pr-severity.yml

@@ -37,6 +37,11 @@ jobs:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
           github_token: ${{ secrets.PR_SEVERITY_BOT_TOKEN }}
 
+          # Allow any user since this workflow only reads PR metadata via API
+          # and doesn't execute any code from the PR. Tool permissions are
+          # restricted to gh pr commands only.
+          allowed_non_write_users: "*"
+
           # Allow Claude to manage labels and post comments.
           # Keep permissions minimal to limit prompt injection risk.
           claude_args: --allowedTools "Bash(gh pr view:*)" "Bash(gh pr edit:*)" "Bash(gh pr comment:*)"