Fix PR Review Assistant not being able to push the review comment

[rafaellehmkuhl]

As can be seen on #2603, the PR Review Assistant action is running correctly, but is failing to push the comment to Github. This PR fixes that.

The system prompt instructs the model to write the review to review.md before posting it via gh pr comment --body-file, but Write was not in allowed_tools, so every file-creation attempt was denied. Sonnet 4 coincidentally pivoted to an inline --body fallback; Opus 4.6 kept retrying file-write variants and exhausted max_turns before falling back, so no review was posted.

This is safe: the job runs on the trusted base ref (never the PR head), permissions: contents: read prevents any repo/push writes, and the runner filesystem is ephemeral — Write only lets the model create scratch files like review.md inside the throwaway runner.

[github-actions]

Automated PR Review (Claude)

0. Summary

Verdict: READY TO MERGE

This PR adds Write to the allowed_tools list for the Claude Code base action in the PR review workflow (.github/workflows/claude-pr-review.yml). The system prompt instructs the review agent to write its review to review.md before posting via gh pr comment --body-file, but the Write tool was missing from the allow-list, causing the agent to fail to post comments (as observed in #2603). The change is minimal (1 addition, 1 deletion), correctly scoped, and the existing security controls (pull_request_target checking out only the base ref, permissions: contents: read) remain intact.

1. Correctness & Implementation Bugs

No findings.

2. AGENTS.md Adherence

No findings. This is a CI-only change with no TypeScript/Vue code, no new dependencies, and no changes to package.json.

3. Security

3.1 Obfuscated or intentionally unreadable code. — No findings.

3.2 Suspicious base64/hex/long-encoded blobs. — No findings.

3.3 Hidden Unicode, zero-width characters, homoglyph attacks. — No findings.

3.4 Unexpected network calls or exfiltration patterns. — No findings.

3.5 Changes to CI workflows that could execute arbitrary code or weaken sandboxing. (minor)
The Write tool is being added to the Claude Code actions allow-list. This grants the agent the ability to create/overwrite files on the runner filesystem. Key mitigations already in place:

• The workflow uses pull_request_target and checks out only the base ref (line 24 comment explicitly documents this). The PR head code is never checked out or executed.
• permissions: contents: read prevents any git push or repo-write operations via GITHUB_TOKEN.
• The runner is ephemeral (destroyed after the job completes).
• The agent only uses Write to create a scratch file (review.md) before posting it as a comment.

Given these mitigations, the risk is negligible. The Write tool cannot be used to modify the checked-out repo in a way that persists or to exfiltrate secrets beyond what Bash(gh:*) already permits. This is acceptable.

3.6 Secret handling. — No new secrets, tokens, or credentials introduced. No weakened CORS/CSP. No eval or equivalent.

3.7 New dependencies. — No new dependencies added.

3.8 Other suspicious patterns. — No findings.

4. Performance

No findings.

5. UI / UX

No findings. This is a CI-only change with no user-facing impact.

6. Code Quality & Style

No findings. The single-line addition follows the existing comma-separated format of the allowed_tools string.

7. Tests

No findings. CI workflow configuration changes are not typically unit-tested; the workflow itself serves as its own integration test.

8. Documentation

No findings. The PR body adequately explains the rationale and security considerations.

9. Nitpicks / Optional

No findings.

Generated by Claude. This is advisory; a human reviewer must still approve.