From 29b14dac592b48b91ef587f96ce57d582b8a7977 Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Sat, 20 Jun 2026 23:41:45 +0200
Subject: [PATCH] feat(ci): let mention bot push commits to fork PR branches

claude-code-action checks out the PR head branch and pushes Claude's
commits with `git push origin ...`. For PRs opened from a fork the head
branch lives on the contributor's repo, and the workflow GITHUB_TOKEN
cannot push there, so commits ended up as a stray branch on this repo
and never landed on the PR.

Redirect origin's push URL to the PR head repository (the fork for fork
PRs, this repo otherwise) using a PAT secret (CLAUDE_BOT_PAT) that has
push access; fetches still come from origin. persist-credentials is
disabled so the PAT in the push URL is used instead of the GITHUB_TOKEN
auth header. Requires the fork PR to have "Allow edits by maintainers"
enabled.
---
 .github/workflows/claude-bot.yml | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/claude-bot.yml b/.github/workflows/claude-bot.yml
index a544ab828..8d0539121 100644
--- a/.github/workflows/claude-bot.yml
+++ b/.github/workflows/claude-bot.yml
@@ -419,11 +419,29 @@ jobs:
       - uses: actions/checkout@v7
         with:
           fetch-depth: 0
-      - name: Check out the PR branch when the comment is on a pull request
-        if: github.event.issue.pull_request
+          # Don't persist the GITHUB_TOKEN auth header; pushes are authenticated
+          # below with a PAT so they can reach a contributor's fork branch.
+          persist-credentials: false
+      # claude-code-action checks out the PR head branch and lets Claude push
+      # with `git push origin ...`. For fork PRs the head branch lives on the
+      # contributor's repo, not origin, and GITHUB_TOKEN cannot push there.
+      # Point origin's PUSH url at the PR head repository (the fork for fork
+      # PRs, this repo otherwise) using a PAT that has push access; fetches
+      # still come from origin (this repo).
+      - name: Route commit pushes to the PR head repository
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: gh pr checkout ${{ github.event.issue.number }}
+          BOT_PAT: ${{ secrets.CLAUDE_BOT_PAT }}
+        run: |
+          set -euo pipefail
+          if [ -n "${{ github.event.issue.pull_request.url }}" ]; then
+            head_repo=$(gh pr view "${{ github.event.issue.number }}" \
+              --json headRepositoryOwner,headRepository \
+              --jq '"\(.headRepositoryOwner.login)/\(.headRepository.name)"')
+          else
+            head_repo="${{ github.repository }}"
+          fi
+          git remote set-url --push origin "https://x-access-token:${BOT_PAT}@github.com/${head_repo}.git"
       - uses: anthropics/claude-code-action@v1
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}