ci: enable Claude review workflow for fork PRs

[alexx-ftw]

Summary

Fixes failing Claude Code Review workflow runs on fork-based pull requests by switching the trigger context to pull_request_target and checking out the PR merge ref explicitly.

Root cause

Recent failed runs (for example run 22157347067 on PR #40 and run 22167207692 on PR #41) showed:

• Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable
• Could not fetch an OIDC token. Did you remember to add id-token: write...

Even though id-token: write was already present, those runs were triggered from fork PRs under pull_request event context, where OIDC env vars were not injected in practice for this workflow.

Changes

• .github/workflows/claude-code-review.yml
  • on.pull_request -> on.pull_request_target
  • actions/checkout now uses:
    • ref: refs/pull/${{ github.event.pull_request.number }}/merge

This keeps the workflow in base-repo context (enabling OIDC) while still reviewing the PR changes.

Security notes

• Permissions remain least-privilege and unchanged except for existing id-token: write.
• Checkout is pinned to GitHub-generated PR merge ref, not arbitrary user-provided refs.

Validation

• Workflow YAML parsed successfully after changes.
• Diff is minimal and isolated to one workflow file.

[RichardAtCT]

@alexx-ftw This still isn't working. Strange.

[alexx-ftw]

I investigated this and confirmed the failures are not from the checkout ref change in PR #53.

Current failures happen in the Claude action during app token exchange:
App token exchange failed: 401 Unauthorized - Invalid OIDC token

Examples:

• https://github.com/RichardAtCT/claude-code-telegram/actions/runs/22191531368
• https://github.com/RichardAtCT/claude-code-telegram/actions/runs/22191600127

This matches upstream issue anthropics/claude-code-action#713 (OIDC token exchange rejects pull_request_target):
anthropics/claude-code-action#713

So PR #53 is correct in intent (fork-safe trigger model) but not sufficient alone right now because OIDC exchange is failing on pull_request_target.

Clean long-term fix:

• Keep pull_request_target
• Provide github_token from a repo/org-managed GitHub App (instead of relying on OIDC exchange)
• Keep least-privilege app permissions (contents read, pull-requests/issues write only if needed, actions read only if needed)

Why this is clean:

• Preserves fork-safe workflow behavior
• Avoids the current upstream OIDC path failure
• Uses short-lived, auditable credentials with scoped permissions

Short-term fallback remains: switch back to pull_request until upstream fixes #713.