diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
index d300267f18..d211eb03d3 100644
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -30,6 +30,18 @@ jobs:
         with:
           fetch-depth: 1
 
+      - name: Checkout PR branch (handles fork PRs)
+        if: github.event.issue.pull_request || github.event_name == 'pull_request_review_comment' || github.event_name == 'pull_request_review'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          if [ "${{ github.event_name }}" = "issue_comment" ]; then
+            PR_NUMBER=${{ github.event.issue.number }}
+          else
+            PR_NUMBER=${{ github.event.pull_request.number }}
+          fi
+          gh pr checkout "$PR_NUMBER"
+
       - name: Run Claude Code
         id: claude
         uses: anthropics/claude-code-action@v1
diff --git a/.github/workflows/pr-severity.yml b/.github/workflows/pr-severity.yml
index cfce023de9..dcf6677dd1 100644
--- a/.github/workflows/pr-severity.yml
+++ b/.github/workflows/pr-severity.yml
@@ -37,6 +37,11 @@ jobs:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
           github_token: ${{ secrets.PR_SEVERITY_BOT_TOKEN }}
 
+          # Allow any user since this workflow only reads PR metadata via API
+          # and doesn't execute any code from the PR. Tool permissions are
+          # restricted to gh pr commands only.
+          allowed_non_write_users: "*"
+
           # Allow Claude to manage labels and post comments.
           # Keep permissions minimal to limit prompt injection risk.
           claude_args: --allowedTools "Bash(gh pr view:*)" "Bash(gh pr edit:*)" "Bash(gh pr comment:*)"