From 411b5242047e988e39be92e7e1a61ea54a12821c Mon Sep 17 00:00:00 2001
From: Lucca Bertoncini <luccabazzo@gmail.com>
Date: Wed, 11 Mar 2026 12:31:46 -0700
Subject: [PATCH 1/3] add claude review bot

---
 .github/workflows/claude.yml | 56 ++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)
 create mode 100644 .github/workflows/claude.yml

diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
new file mode 100644
index 0000000..e09b5f3
--- /dev/null
+++ b/.github/workflows/claude.yml
@@ -0,0 +1,56 @@
+name: Claude Code
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  claude:
+    if: |
+      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude'))
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+      id-token: write
+      actions: read # Required for Claude to read CI results on PRs
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude Code
+        id: claude
+        uses: anthropics/claude-code-action@v1
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          model: "claude-sonnet-4-6"
+
+          # Optional: Customize the trigger phrase (default: @claude)
+          # trigger_phrase: "/claude"
+
+          # Optional: Trigger when specific user is assigned to an issue
+          # assignee_trigger: "claude-bot"
+
+          # Optional: Configure Claude's behavior with CLI arguments
+          # claude_args: |
+          #   --model claude-opus-4-1-20250805
+          #   --max-turns 10
+          #   --allowedTools "Bash(npm install),Bash(npm run build),Bash(npm run test:*),Bash(npm run lint:*)"
+          #   --system-prompt "Follow our coding standards. Ensure all new code has tests. Use TypeScript for new files."
+
+          # Optional: Advanced settings configuration
+          # settings: |
+          #   {
+          #     "env": {
+          #       "NODE_ENV": "test"
+          #     }
+          #   }
\ No newline at end of file

From ed3f5cb6dce5549637864def6f947ec7a8d36a4d Mon Sep 17 00:00:00 2001
From: Lucca Bertoncini <luccabazzo@gmail.com>
Date: Wed, 11 Mar 2026 12:32:24 -0700
Subject: [PATCH 2/3] new line

---
 .github/workflows/claude.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
index e09b5f3..80df020 100644
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -53,4 +53,4 @@ jobs:
           #     "env": {
           #       "NODE_ENV": "test"
           #     }
-          #   }
\ No newline at end of file
+          #   }

From f71b10f817a927f271f0fa8401c54d390687863d Mon Sep 17 00:00:00 2001
From: Lucca Bertoncini <luccabazzo@gmail.com>
Date: Wed, 11 Mar 2026 14:41:49 -0700
Subject: [PATCH 3/3] enable claude on fork PRs

---
 .github/workflows/claude.yml | 30 +++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
index 80df020..0495a11 100644
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -27,9 +27,37 @@ jobs:
         with:
           fetch-depth: 1
 
+      - name: Check if user is authorized
+        id: check_auth
+        run: |
+          COMMENTER="${{ github.event.comment.user.login }}"
+          ASSOCIATION="${{ github.event.comment.author_association }}"
+          AUTHORIZED=false
+
+          # Org owners and members
+          if [ "$ASSOCIATION" = "OWNER" ] || [ "$ASSOCIATION" = "MEMBER" ]; then
+            AUTHORIZED=true
+          fi
+
+          # CODEOWNERS
+          if [ "$AUTHORIZED" = "false" ] && [ -f .github/CODEOWNERS ]; then
+            OWNERS=$(grep -oP '(?<=@)\S+' .github/CODEOWNERS | sort -u)
+            if echo "$OWNERS" | grep -qxi "$COMMENTER"; then
+              AUTHORIZED=true
+            fi
+          fi
+
+          echo "authorized=$AUTHORIZED" >> "$GITHUB_OUTPUT"
+          if [ "$AUTHORIZED" = "false" ]; then
+            echo "::notice::User $COMMENTER is not authorized to trigger Claude."
+          fi
+
       - name: Run Claude Code
         id: claude
-        uses: anthropics/claude-code-action@v1
+        if: steps.check_auth.outputs.authorized == 'true'
+        # Forked from anthropics/claude-code-action@v1 to add support for
+        # fork PRs (upstream bug: https://github.com/anthropics/claude-code-action/issues/223)
+        uses: luccabb/claude-code-action@7f39722b8a782471258f32e1d5a9a531b2b68056
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
           model: "claude-sonnet-4-6"