From ed2419b8e176cda724b2c5e0b8620768638924bb Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 8 Apr 2026 21:56:45 +0000 Subject: [PATCH] fix(ci): handle fork PRs in GitHub Actions workflows Fork-based PRs (like PR #498) caused all CI checks to fail due to: - ci-quality-gate: checkout failed because fork branch names don't exist in the base repo. Now uses commit SHA for PR events. - skill-security-audit: comment posting failed with read-only GITHUB_TOKEN. Now continues on error and writes results to job summary as fallback. - claude-code-review: fallback comment step failed silently. Now continues on error and writes status to job summary. https://claude.ai/code/session_01X1RKFAkEwxgg6gQvJG1KCa --- .github/workflows/ci-quality-gate.yml | 3 +++ .github/workflows/claude-code-review.yml | 11 +++++++++++ .github/workflows/skill-security-audit.yml | 9 +++++++++ 3 files changed, 23 insertions(+) diff --git a/.github/workflows/ci-quality-gate.yml b/.github/workflows/ci-quality-gate.yml index b1ac77b..e2c140b 100644 --- a/.github/workflows/ci-quality-gate.yml +++ b/.github/workflows/ci-quality-gate.yml @@ -31,6 +31,9 @@ jobs: echo "target_ref=${{ github.event.inputs.ref }}" >> "$GITHUB_OUTPUT" elif [[ "${{ github.event_name }}" == "repository_dispatch" && -n "${{ github.event.client_payload.ref }}" ]]; then echo "target_ref=${{ github.event.client_payload.ref }}" >> "$GITHUB_OUTPUT" + elif [[ "${{ github.event_name }}" == "pull_request" ]]; then + # Use commit SHA for PRs — branch names from forks don't exist in the base repo + echo "target_ref=${{ github.event.pull_request.head.sha }}" >> "$GITHUB_OUTPUT" else echo "target_ref=${{ github.head_ref || github.ref_name }}" >> "$GITHUB_OUTPUT" fi diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml index 85862ea..6e7b96d 100644 --- a/.github/workflows/claude-code-review.yml +++ b/.github/workflows/claude-code-review.yml @@ -114,6 +114,7 @@ jobs: - name: Post fallback review note (quota/timeout) if: steps.claude-review.outcome != 'success' + continue-on-error: true # Fork PRs have read-only GITHUB_TOKEN uses: actions/github-script@v7 with: script: | @@ -129,3 +130,13 @@ jobs: - Proceed with manual review to unblock ` }) + + - name: Write review status to job summary + if: steps.claude-review.outcome != 'success' + run: | + echo "## ⚠️ Automated Review Skipped" >> "$GITHUB_STEP_SUMMARY" + echo "" >> "$GITHUB_STEP_SUMMARY" + echo "The Claude review could not complete." >> "$GITHUB_STEP_SUMMARY" + echo "For fork PRs this is expected — OIDC tokens are unavailable." >> "$GITHUB_STEP_SUMMARY" + echo "" >> "$GITHUB_STEP_SUMMARY" + echo "- Retry from the Actions tab, or proceed with manual review." >> "$GITHUB_STEP_SUMMARY" diff --git a/.github/workflows/skill-security-audit.yml b/.github/workflows/skill-security-audit.yml index 1f7cf7a..e4af352 100644 --- a/.github/workflows/skill-security-audit.yml +++ b/.github/workflows/skill-security-audit.yml @@ -191,8 +191,17 @@ jobs: echo "report_file=$REPORT_FILE" >> "$GITHUB_OUTPUT" echo "exit_code=$OVERALL_EXIT" >> "$GITHUB_OUTPUT" + - name: Post audit results to job summary + if: always() + run: | + REPORT_FILE="${{ steps.audit.outputs.report_file }}" + if [ -f "$REPORT_FILE" ]; then + cat "$REPORT_FILE" >> "$GITHUB_STEP_SUMMARY" + fi + - name: Post audit results as PR comment if: always() + continue-on-error: true # Fork PRs have read-only GITHUB_TOKEN uses: actions/github-script@v7 with: script: |