Add Claude Code GitHub Workflow (#700)

## 🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code
integration in our repository.

### What is Claude Code?

[Claude Code](https://claude.com/claude-code) is an AI coding agent that
can help with:
- Bug fixes and improvements  
- Documentation updates
- Implementing new features
- Code reviews and suggestions
- Writing tests
- And more!

### How it works

Once this PR is merged, we'll be able to interact with Claude by
mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and
surrounding context, and execute on the request in a GitHub action.

### Important Notes

- **This workflow won't take effect until this PR is merged**
- **@claude mentions won't work until after the merge is complete**
- The workflow runs automatically whenever Claude is mentioned in PR or
issue comments
- Claude gets access to the entire PR or issue context including files,
diffs, and previous comments

### Security

- Our Anthropic API key is securely stored as a GitHub Actions secret
- Only users with write access to the repository can trigger the
workflow
- All Claude runs are stored in the GitHub Actions run history
- Claude's default tools are limited to reading/writing files and
interacting with our repo by creating comments, branches, and commits.
- We can add more allowed tools by adding them to the workflow file
like:

```
allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)
```

There's more information in the [Claude Code action
repo](https://github.com/anthropics/claude-code-action).

After merging this PR, let's try mentioning @claude in a comment on any
PR to get started!

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
* Added automated code review workflow to the CI/CD pipeline for pull
request validation.
* Streamlined existing workflow configurations with updated dependency
management and improved action setup.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Author: bootjp

.github/workflows/claude.yml

@@ -26,67 +26,13 @@ jobs:
       actions: read # Required for Claude to read CI results on PRs
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
         with:
           fetch-depth: 1
 
-      # TEMPORARY diagnostic. Verifies whether the OAuth token works against
-      # `claude --print` directly on the runner (i.e., bypassing the action /
-      # agent SDK entirely), so we can localize the failure to either:
-      #   - SDK auth-forwarding (diag passes, main fails), or
-      #   - runner ↔ Anthropic OAuth backend (diag fails, main fails).
-      #
-      # Split into two steps so the OAuth token is never present in the env
-      # of `curl | bash` or its subprocesses (Codex P2): the installer runs
-      # without the secret; only the verify step has it, and only for the
-      # single claude invocation. Both diagnostic steps are
-      # `continue-on-error: true` so neither a transient install failure nor
-      # a runner-side OAuth failure can short-circuit `Run Claude Code` —
-      # both step results need to be observed for the isolation logic to
-      # work, and temporary diagnostic infrastructure must not block normal
-      # `@claude` handling (Codex P1, both rounds).
-      #
-      # Token-leak hardening:
-      #   - secret is scoped to the verify step only
-      #   - never enables `set -x`; explicit `set +x` defends against
-      #     ACTIONS_STEP_DEBUG also enabling xtrace
-      #   - token reaches `claude` only via env, never as a command-line arg
-      #   - no --debug / --verbose on `claude`
-      #   - HOME is an ephemeral tmp dir; runner is destroyed after the job
-      #   - GitHub Actions secret-masking covers any literal occurrence anyway
-      #
-      # Remove these two steps (and rotate CLAUDE_CODE_OAUTH_TOKEN) once the
-      # diagnostic question is answered.
-      - name: Install Claude CLI for diag (no secrets in env)
-        continue-on-error: true
-        run: |
-          set -euo pipefail
-          set +x
-          curl -fsSL https://claude.ai/install.sh | bash -s -- 2.1.119 >/dev/null 2>&1
-
-      - name: Verify OAuth on the runner (diag only)
-        continue-on-error: true
-        env:
-          CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-        run: |
-          set -euo pipefail
-          set +x
-          export PATH="$HOME/.local/bin:$PATH"
-          TMPHOME="$(mktemp -d)"
-          HOME="$TMPHOME" ANTHROPIC_API_KEY="" claude --print "ok"
-
       - name: Run Claude Code
         id: claude
-        # Pinned to v1.0.107 + explicit env. As of 2026-04-28, the OAuth token
-        # passed only via the `with:` input is not reaching the Claude Code
-        # child process spawned by the agent SDK's query() — the SDK throws
-        # `Could not resolve [authentication]` even though the same token
-        # works locally with `claude --print`. Setting CLAUDE_CODE_OAUTH_TOKEN
-        # in the step's env: forces it onto process.env so parse-sdk-options
-        # forwards it to the child. Revisit once upstream ships a fix.
-        uses: anthropics/claude-code-action@7eab1296cc65117d50ac2a2fa5f00a30ec84d3d5 # v1.0.107
-        env:
-          CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+        uses: anthropics/claude-code-action@v1
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
 
@@ -100,5 +46,5 @@ jobs:
           # Optional: Add claude_args to customize behavior and configuration
           # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
           # or https://code.claude.com/docs/en/cli-reference for available options
-          # claude_args: '--allowed-tools Bash(gh pr:*)'
+          # claude_args: '--allowed-tools Bash(gh pr *)'