Pass --allowed-tools to security-audit's Claude invocation

The default tool allowlist in claude-code-action excludes Bash and
Write, so the auditing prompt's attempts to run `gh api` and produce
the report files were denied 38 times in run 26306994059. Claude
exited with a "success" subtype despite the denials, so the workflow
proceeded without audit-status.txt and the issue-reporting step
treated it as a failure.

Pass --allowed-tools "Read,Write,Edit,Bash,Grep,Glob" via the action's
claude_args input so the audit can actually exercise the tools the
prompt asks for.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: nedtwigg

.github/workflows/security-audit.yaml

@@ -15,6 +15,7 @@ permissions:
   actions: read
   issues: write
   id-token: write
+  administration: read
 
 jobs:
   audit:
@@ -42,6 +43,12 @@ jobs:
           GH_TOKEN: ${{ github.token }}
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          # Without an explicit allowlist the action defaults to a
+          # restrictive set that excludes Bash and Write, so an
+          # auditing prompt that wants to run `gh api` and produce a
+          # report file racks up permission denials and exits without
+          # writing audit-status.txt.
+          claude_args: '--allowed-tools "Read,Write,Edit,Bash,Grep,Glob"'
           prompt: |
             You are auditing this repository against SECURITY.md. The
             specifications are concrete `FAIL IF` lines plus the