Can't use action in workflow triggered by pull_request_target #347
Description
Describe the bug
Our Claude workflows support both pull_request and pull_request_target to provide github tokens with write permissions to dependabot PRs (by default, they are considered forks and get read-only permissions, see https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/)
The action fails for runs triggered by pull_request_target:
Run bun run ${GITHUB_ACTION_PATH}/src/entrypoints/prepare.ts
Using provided GITHUB_TOKEN for authentication
Error: Prepare step failed with error: Unsupported event type: pull_request_target
Error: Process completed with exit code 1.
To Reproduce
name: Claude Code / self-check
on:
pull_request_target:
types:
- opened
- labeled
- synchronize
paths:
- '.github/workflows/claude-code-*.yml'
permissions:
# Required for OIDC authentication to AWS
id-token: write
contents: write
pull-requests: write
issues: write
# Required for Claude Code to read CI job status
actions: read
jobs:
self-check:
runs-on: small
if: github.actor == 'dependabot[bot]'
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Assume bedrock-runtime role
...
- name: Generate GitHub App token
...
- uses: anthropics/claude-code-action@v0.0.44
...Expected behavior
A clear and concise description of what you expected to happen.
Screenshots
If applicable, add screenshots to help explain your problem.
Workflow yml file
If it's not sensitive, consider including a paste of your full Claude workflow.yml file.
API Provider
[ ] Anthropic First-Party API (default)
[x] AWS Bedrock
[ ] GCP Vertex
Additional context
Add any other context about the problem here.