update workflow

.github/workflows/claude-issue-auto-response.yml

@@ -10,7 +10,21 @@ jobs:
     outputs:
       should_run: ${{ steps.check.outputs.should_run }}
     steps:
+      - name: Check user permissions
+        id: perm_check
+        run: |
+          # 外部用户直接跳过 Codex 检查
+          if [[ "${{ github.event.issue.author_association }}" == "NONE" ]]; then
+            echo "External user detected, skipping Codex check"
+            echo "should_run=true" >> $GITHUB_OUTPUT
+            echo "EXTERNAL_USER=true" >> $GITHUB_OUTPUT
+          else
+            echo "Internal user, will check Codex status"
+            echo "EXTERNAL_USER=false" >> $GITHUB_OUTPUT
+          fi
+
       - name: Check if Codex workflow succeeded for this issue
+        if: steps.perm_check.outputs.EXTERNAL_USER == 'false'
         id: check
         uses: actions/github-script@v7
         with:
@@ -61,6 +75,11 @@ jobs:
             console.log('Timeout waiting for Codex, running Claude');
             core.setOutput('should_run', 'true');
 
+      - name: Set output for external users
+        if: steps.perm_check.outputs.EXTERNAL_USER == 'true'
+        run: |
+          echo "should_run=true" >> $GITHUB_OUTPUT
+
   auto-response:
     needs: check-codex-status
     if: needs.check-codex-status.outputs.should_run == 'true'

.github/workflows/claude-pr-review.yml

@@ -14,7 +14,21 @@ jobs:
     outputs:
       should_run: ${{ steps.check.outputs.should_run }}
     steps:
+      - name: Check user permissions
+        id: perm_check
+        run: |
+          # 外部用户直接跳过 Codex 检查
+          if [[ "${{ github.event.pull_request.author_association }}" == "NONE" ]]; then
+            echo "External user detected, skipping Codex check"
+            echo "should_run=true" >> $GITHUB_OUTPUT
+            echo "EXTERNAL_USER=true" >> $GITHUB_OUTPUT
+          else
+            echo "Internal user, will check Codex status"
+            echo "EXTERNAL_USER=false" >> $GITHUB_OUTPUT
+          fi
+
       - name: Check if Codex workflow succeeded for this PR
+        if: steps.perm_check.outputs.EXTERNAL_USER == 'false'
         id: check
         uses: actions/github-script@v7
         with:
@@ -66,6 +80,11 @@ jobs:
             console.log('Timeout waiting for Codex, running Claude');
             core.setOutput('should_run', 'true');
 
+      - name: Set output for external users
+        if: steps.perm_check.outputs.EXTERNAL_USER == 'true'
+        run: |
+          echo "should_run=true" >> $GITHUB_OUTPUT
+
   pr-review:
     needs: check-codex-status
     if: needs.check-codex-status.outputs.should_run == 'true'

.github/workflows/codex-issue-auto-response.yml

@@ -6,6 +6,11 @@ on:
 
 jobs:
   auto-response:
+    # 仅对有写入权限的用户运行
+    if: |
+      github.event.issue.author_association == 'OWNER' ||
+      github.event.issue.author_association == 'MEMBER' ||
+      github.event.issue.author_association == 'CONTRIBUTOR'
     runs-on: ubuntu-latest
     permissions:
       contents: read

.github/workflows/codex-pr-review.yml

@@ -6,8 +6,12 @@ on:
 
 jobs:
   pr-review:
-    # Skip draft PRs and bot actors
+    # 仅对有写入权限的用户运行，且跳过 draft PR 和 bot
     if: |
+      (github.event.pull_request.author_association == 'OWNER' ||
+       github.event.pull_request.author_association == 'MEMBER' ||
+       github.event.pull_request.author_association == 'CONTRIBUTOR' ||
+       github.event.pull_request.author_association == 'COLLABORATOR') &&
       github.event.pull_request.draft == false &&
       !endsWith(github.actor, '[bot]')
     runs-on: ubuntu-latest