Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e938652cc5
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| # Optional: Filter by PR author | ||
| # if: | | ||
| # github.event.pull_request.user.login == 'external-contributor' || | ||
| # github.event.pull_request.user.login == 'new-developer' || | ||
| # github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR' |
There was a problem hiding this comment.
Removing the job-level trust gate means claude-review now runs for every pull_request event, including PRs from forks. For forked PRs, GitHub does not expose repository secrets to this workflow, so the claude_code_oauth_token input is empty and this job will fail instead of reviewing, leaving external contributions with a persistent failing check unless you add a same-repo/trusted-author condition.
Useful? React with 👍 / 👎.
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | ||
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) |
There was a problem hiding this comment.
This condition now matches any issue/comment/review body containing @claude without checking user type or repository role, so public repo outsiders (and bots) can repeatedly trigger the workflow. Even if the action later refuses to act, each trigger still spins up a runner and consumes CI budget; the removed sender.type and association checks previously blocked this at the workflow gate.
Useful? React with 👍 / 👎.
|
Closing — the /install-github-app command already set the CLAUDE_CODE_OAUTH_TOKEN secret, which is what the existing workflows reference. No workflow changes needed. |
1 participant
No description provided.