From: Daan De Meyer Date: Wed, 18 Mar 2026 07:59:48 +0000 (+0100) Subject: ci: Enable users without write action to the repo to access claude review X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2967e89597d51db77f4b73be338bc273b65be28b;p=thirdparty%2Fsystemd.git ci: Enable users without write action to the repo to access claude review The labelling approach introduced in 6089075265765b43e6666e4d5978292a32501496 means contributors can now trigger the workflow on their own when the label is added by a maintainer and they update the PR. Hence we need to allow all users to access the claude code action. This is safe because we already gate the workflow ourselves to only the contributors that we want to allow. Additionally, the claude code job has no permissions anymore except read access to the repository and can execute very limited tools, so this should be safe. --- diff --git a/.github/workflows/claude-review.yml b/.github/workflows/claude-review.yml index cf55bf612a4..6368140ea00 100644 --- a/.github/workflows/claude-review.yml +++ b/.github/workflows/claude-review.yml @@ -224,6 +224,11 @@ jobs: # Required by claude-code-action even though Claude itself doesn't # call the GitHub API — the action uses it for permission checks. github_token: ${{ secrets.GITHUB_TOKEN }} + # Safe because the workflow's `if` condition already restricts + # execution to trusted actors (MEMBER/OWNER/COLLABORATOR) or PRs + # that a trusted actor explicitly labeled, and this job only has + # read-only permissions. + allowed_non_write_users: "*" track_progress: false show_full_output: "true" claude_args: |