Fix Claude review steps in ClauDependabot workflow

[danielorbach]

The ClauDependabot workflow's Claude review steps were silently failing: Claude ran 13 turns with 11 permission denials and never posted its review comment (run #23004309970).

Two issues, both caused by differences between this workflow and the working one in go-digitaltwin/go-digitaltwin:

Missing file-reading tools. This workflow added actions/checkout so Claude could read local files, but in agent mode claude-code-action does not inject default tools (unlike tag mode which includes Read, Glob, Grep, etc.). The allowedTools whitelist only had Bash(gh ...) patterns, so every attempt to read the checkout was denied.

No workflow summary report. claude-code-action v1.0.65 changed display_report default to false, and v1.0.66 stripped detailed permission_denials from sanitized output (both in PR #992 and PR #993). These changes protect against prompt injection from untrusted input rendered in the Step Summary. Since this workflow only triggers on Dependabot PRs (trusted actor, controlled input), the threat model does not apply; display_report is re-enabled explicitly.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0a19a694-ed68-4622-a4fd-9806d55cd6ad

📥 Commits

Reviewing files that changed from the base of the PR and between 7001f34 and cd5a35e.

📒 Files selected for processing (1)

• .github/workflows/claudependabot.yml

---

📝 Walkthrough

Walkthrough

This PR updates .github/workflows/claudependabot.yml: enables display_report: true for Claude review steps, expands Claude CLI --allowedTools to include Read,Glob,Grep for both minor and major reviews, and adds “Before reviewing” pre-review guidance with skip/compare instructions for minor and major review flows.

Changes

Cohort / File(s)	Summary
GitHub Actions workflow .github/workflows/claudependabot.yml	Enabled display_report: true for minor and major Claude review tasks; added --allowedTools "Read,Glob,Grep" to both minor and major claude_args; inserted new “Before reviewing” blocks—minor includes a simple skip condition, major includes a compare-then-skip condition and guidance to only post new reviews when analysis changed.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Review Dependabot minor and major updates with Claude Code #19 — Edits the same .github/workflows/claudependabot.yml, adjusting Claude CLI allowed tools and review prompt/skip logic.

Poem

🐰 I peeked at workflows late at night,

Read, Glob, Grep now sharpen my sight,
Reports unfurled in tidy array,
I skip what’s same and help convey,
A tiny hop for clearer review delight.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and clearly summarizes the main change: fixing Claude review steps in the ClauDependabot workflow, which matches the core purpose of the PR.
Description check	✅ Passed	The description is directly related to the changeset, providing detailed context about the two issues being fixed and explaining the root causes and solutions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-claudependabot-tools

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can validate your CodeRabbit configuration file in your editor.

If your editor has YAML language server, you can enable auto-completion and validation by adding # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json at the top of your CodeRabbit configuration file.

[galactic-king]