fix(ci): address review comments — tighten auth guards, fix review event handling, align adb docs

- Tighten author_association to OWNER/MEMBER/COLLABORATOR (was != NONE)
- Handle pull_request_review events correctly (use review.author_association)
- Align adb exceptions between agent-device and fix-github-issue skills
- claude-code-action@beta not pinned (moving tag, need latest beta features)

Author: naqvitalha

.claude/skills/agent-device/SKILL.md

@@ -9,7 +9,7 @@ description: Interact with iOS simulator or Android emulator/device using snapsh
 
 **Banned tools/commands** (never use these for device interaction, even if they seem easier):
 
-- `adb` / `adb shell` — no `input tap`, `input swipe`, `input text`, `screencap`, `am start`, etc. (exception: `adb shell screenrecord` + `adb pull` for Android recording — see "Android Recording Workaround")
+- `adb` for UI interaction — no `input tap`, `input swipe`, `input text`, `screencap`, etc. Allowed exceptions: `adb devices`, `adb wait-for-device`, `adb install`, `adb reverse`, `adb shell getprop`, `adb shell am`, `adb shell pm`, `adb shell screenrecord` + `adb pull` (see "Android Recording Workaround"), `adb shell kill`/`adb shell pidof` (for stopping screenrecord)
 - Mobile MCP tools — no `mobile_click_on_screen_at_coordinates`, `mobile_take_screenshot`, `mobile_list_elements_on_screen`, `mobile_swipe_on_screen`, `mobile_type_keys`, `mobile_press_button`, `mobile_long_press_on_screen_at_coordinates`, or any other `mobile_*` tool
 - `xcrun simctl` — no `simctl io screenshot`, `simctl launch`, `simctl openurl`, etc. (exception: `simctl list devices` to check boot state is OK)
 - `osascript` / AppleScript for simulator control

.github/workflows/agent-android-bot.yml

@@ -46,7 +46,11 @@ jobs:
       (
         contains(github.event.comment.body || github.event.review.body, '@android-agent') &&
         !contains(github.event.comment.body || github.event.review.body, '/fix') &&
-        github.event.comment.author_association != 'NONE'
+        (
+          (github.event.comment.author_association || github.event.review.author_association) == 'OWNER' ||
+          (github.event.comment.author_association || github.event.review.author_association) == 'MEMBER' ||
+          (github.event.comment.author_association || github.event.review.author_association) == 'COLLABORATOR'
+        )
       )
     steps:
       - name: Checkout

.github/workflows/agent-bot.yml

@@ -43,7 +43,11 @@ jobs:
       (
         contains(github.event.comment.body || github.event.review.body, '@agent') &&
         !contains(github.event.comment.body || github.event.review.body, '/fix') &&
-        github.event.comment.author_association != 'NONE'
+        (
+          (github.event.comment.author_association || github.event.review.author_association) == 'OWNER' ||
+          (github.event.comment.author_association || github.event.review.author_association) == 'MEMBER' ||
+          (github.event.comment.author_association || github.event.review.author_association) == 'COLLABORATOR'
+        )
       )
     steps:
       - name: Checkout

.github/workflows/agent-fix.yml

@@ -37,7 +37,11 @@ jobs:
         github.event.action == 'created' &&
         contains(github.event.comment.body, '/fix') &&
         !github.event.issue.pull_request &&
-        github.event.comment.author_association != 'NONE'
+        (
+          github.event.comment.author_association == 'OWNER' ||
+          github.event.comment.author_association == 'MEMBER' ||
+          github.event.comment.author_association == 'COLLABORATOR'
+        )
       )
     timeout-minutes: 60
     steps: