Fix Auto Review skipped on maintainer PRs

[scottf]

Problem

Automatic PR review (claude / Automatic) stopped running on maintainer PRs in nats-io/nats.java. The job didn't error — it was skipped, because its if: condition evaluated false.

The cause: commit #11 (5b7104f, what v2/v2.3.0 point to) added an author allow-list to the gate:

if: >
  github.event_name == 'pull_request_target' &&
  contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.pull_request.author_association)

The PR author (scottf) is a nats-io member, but his membership is private. In a pull_request_target event, the webhook payload reports author_association as a downgraded value (CONTRIBUTOR/NONE) for private members — never MEMBER. So the allow-list never matched, and the job skipped on every maintainer PR.

(The REST API returns MEMBER for the same PR, which is why it looked like the allow-list should have matched. The webhook payload and the REST API disagree.)

Fix

Changed the gate to check whether the PR comes from a fork instead of checking the author's association:

if: >
  github.event_name == 'pull_request_target' &&
  github.event.pull_request.head.repo.fork == false

This keeps the original security intent (don't run the secret-bearing review job for untrusted fork PRs) but no longer depends on org-membership visibility. Maintainers push branches to the repo itself (fork == false), so their PRs now run. Fork PRs are still gated out.

What changed

• .github/workflows/claude.yml — claude-auto-review job if: condition (and its explanatory comment) updated as above. No other job was touched; the interactive @claude job never used author_association and is unaffected.

Still to do (publish)

The fix has to reach consumers through the moving v2 tag:

1. Commit the change.
2. Move v2 to the fix commit; cut a new immutable tag (e.g. v2.3.1).
3. Open a maintainer PR in nats-io/nats.java and confirm claude / Automatic
   runs instead of skipping.