From e469e73aa88b13f28d89cef2a933ef0b12d96b5b Mon Sep 17 00:00:00 2001
From: Chris Hambridge <chambrid@redhat.com>
Date: Wed, 14 Jan 2026 19:13:20 -0500
Subject: [PATCH 1/2] ci(pr-review): add checkout step for skill definitions
 access

Add actions/checkout@v4 before claude-code-action to enable access to
.claude/commands/ skill definitions. Uses base.sha (not head.sha) for
security - this ensures skill definitions come from the trusted main
branch, not from potentially malicious fork PRs.

Fixes the "Unknown skill: review-agentready" error seen in Claude Code
Review workflow runs.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Chris Hambridge <chambrid@redhat.com>
---
 .github/workflows/pr-review-auto-fix.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/pr-review-auto-fix.yml b/.github/workflows/pr-review-auto-fix.yml
index a675c553..70c752b3 100644
--- a/.github/workflows/pr-review-auto-fix.yml
+++ b/.github/workflows/pr-review-auto-fix.yml
@@ -36,6 +36,12 @@ jobs:
               }
             }
 
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          # Use base branch for security - don't execute fork's .claude/commands/
+          ref: ${{ github.event.pull_request.base.sha }}
+
       - name: Run AgentReady Code Review
         uses: anthropics/claude-code-action@v1
         with:

From 34fbc4848841e09133b1d55466ab2586655c12c6 Mon Sep 17 00:00:00 2001
From: Chris Hambridge <chambrid@redhat.com>
Date: Wed, 14 Jan 2026 19:31:06 -0500
Subject: [PATCH 2/2] ci(pr-review): add inline settings for gh and git command
 permissions

Add settings block to claude-code-action configuration to allow
gh pr, gh issue, gh search, and git commands during code review.
This enables the review skill to interact with GitHub APIs.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Chris Hambridge <chambrid@redhat.com>
---
 .github/workflows/pr-review-auto-fix.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.github/workflows/pr-review-auto-fix.yml b/.github/workflows/pr-review-auto-fix.yml
index 70c752b3..2cf949c7 100644
--- a/.github/workflows/pr-review-auto-fix.yml
+++ b/.github/workflows/pr-review-auto-fix.yml
@@ -49,6 +49,17 @@ jobs:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
           allowed_non_write_users: '*'  # Enable reviews on fork PRs
+          settings: |
+            {
+              "permissions": {
+                "allow": [
+                  "Bash(gh pr:*)",
+                  "Bash(gh issue:*)",
+                  "Bash(gh search:*)",
+                  "Bash(git:*)"
+                ]
+              }
+            }
           prompt: |
             Run the /review-agentready command on this pull request.