Summary

The Claude review (label: claudius-review) workflow is failing on fork-based PRs before repository checkout because no Claude auth secret is available in the pull_request context.

Evidence

• PR fix(ui): improve auth key error message and suppress on startup auto-select #761 (fix(ui): improve auth key error message and suppress on startup auto-select)
  • failing run: https://github.com/dashpay/dash-evo-tool/actions/runs/23303108674/job/67769504413
  • the PR itself only changes:
    • src/ui/dashpay/contact_requests.rs
    • src/ui/dashpay/qr_code_generator.rs
    • src/ui/identities/mod.rs
• PR fix: auto-fetch profile from network when no cached data exists #763 (fix: auto-fetch profile from network when no cached data exists)
  • failing run: https://github.com/dashpay/dash-evo-tool/actions/runs/24380300044

Both failures show the same pattern:

• Secret source: None
• the job exits before checkout/review with:
  • Either 'anthropic_api_key' or 'claude_code_oauth_token' must be provided.

Diagnosis

This is not caused by the application code in those PRs. The failure happens before the repo is even checked out, so the relevant issue is workflow design / secrets availability for fork PRs.

Likely root cause:

• the review workflow runs on pull_request
• the PRs come from a fork (thepastaclaw/dash-evo-tool -> dashpay/dash-evo-tool)
• GitHub does not expose repository secrets in that context, so the Claude review action cannot authenticate

Suggested fixes

Any of these would resolve the false-red required check pattern:

1. Skip the review job when the needed secret/token is unavailable
2. Avoid making this workflow a required status for fork PRs
3. Rework the workflow to a safe pull_request_target-based design if maintainers actually want secret-backed review on forks

Right now the result is a repo-level CI false negative on otherwise-passing PRs.