Setup claude to only manually trigger

[scottf]

No description provided.

[github-actions]

Claude finished @scottf's task in 40s —— View job

---

PR Review

• Gather context
• Review changes

Summary

This PR removes the pull_request_target: types: [opened] trigger from the Claude workflow, so Claude no longer runs automatically when a PR is opened. After this change, Claude only triggers on explicit user comments (issue_comment and pull_request_review_comment).

Change:

# Removed:
  pull_request_target:
    types: [opened]

Assessment

Correctness ✅ — The change does exactly what the title says: Claude now requires manual invocation via comments rather than auto-running on every new PR.

Security ✅ — This is actually a minor security improvement. pull_request_target runs with write permissions in the base repo context, even for fork PRs. Removing automatic triggering on PR open reduces the attack surface (e.g., a malicious PR open event can no longer automatically invoke Claude with write access).

No issues found. The change is minimal, correct, and straightforward.

[scottf]

sorry @claude, this does not work. You ran without me asking

[github-actions]

Claude finished @scottf's task in 32s —— View job

---

Response

Hi @scottf — you're right, and I understand the frustration. Here's why it happened:

The pull_request_target behavior

With pull_request_target, GitHub always runs the workflow from the base branch (main), not from the PR branch. So when you opened this PR, GitHub fetched the claude.yml from main (which still had the pull_request_target: types: [opened] trigger) and ran it — even though this very PR was removing that trigger.

In short: the fix is correct, but it can't apply to itself.

Once this PR is merged, the trigger will be removed from main, and future PRs will no longer auto-invoke Claude on open. This PR is its own last victim of the behavior it's fixing.

Current invocation (now): This run was triggered by your manual @claude comment — not automatically.

---