chore(deps): update anthropics/claude-code-action action to v1.0.94

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Pending
anthropics/claude-code-action	action	patch	v1.0.93 → v1.0.94	v1.0.101 (+6)

---

Release Notes

anthropics/claude-code-action (anthropics/claude-code-action)

v1.0.94

Compare Source

What's Changed

• Prepend system bin dirs to PATH when allowed_non_write_users is set by @​OctavianGuzu in #​1208

Full Changelog: anthropics/claude-code-action@v1...v1.0.94

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

• Single Change: Prepends system binary directories (/usr/bin and /bin) to PATH when allowed_non_write_users is set
• Purpose: Ensures standard POSIX tools (git, tar, zstd) resolve from trusted system locations, preventing PATH hijacking by earlier setup actions
• Security Enhancement: Post-step cleanup also clears dangerous environment variables (BASH_ENV, LD_PRELOAD, etc.)
• No Breaking Changes: This is a patch release with backward-compatible changes only
• Implementation: Adds pre/post steps to action.yml that are gated on allowed_non_write_users != '' condition
• Error Handling: Uses continue-on-error: true for safe degradation

🎯 Impact Scope Investigation

• Usage Locations Identified:
  • .github/workflows/ci.yml (2 occurrences): content-review and code-review jobs
  • .github/workflows/claude.yml (1 occurrence): interactive Claude execution
• Configuration Analysis:
  • Our workflows use allowed_bots: 'lacolaco-actions-worker[bot]' parameter
  • We do NOT use allowed_non_write_users parameter
  • Critical Finding: The PATH prepending logic in v1.0.94 is gated on allowed_non_write_users != '', which means it will NOT activate in our workflows
• Workflow Context:
  • CI jobs only use actions/checkout before claude-code-action (no pnpm/node setup in these specific jobs)
  • Other jobs in ci.yml use pnpm/action-setup and actions/setup-node, but these are in separate jobs
  • No PATH contamination risk in current workflow structure
• Dependency Impact: None - this is a GitHub Action version update with no cascading package dependencies

💡 Recommended Actions

1. Immediate Action: Merge this PR safely - no code changes or configuration updates required
2. No Migration Needed: The new PATH prepending feature is opt-in (requires allowed_non_write_users parameter) and does not affect our current workflows
3. Verification: The version bump only updates the commit SHA in workflow files, maintaining identical functionality
4. Future Consideration: If we ever need to use allowed_non_write_users for security hardening, this update provides the necessary PATH protection automatically

🔗 Reference Links

• Release Notes v1.0.94
• PR #1208: Prepend system bin dirs to PATH
• Full Changelog

Generated by koki-develop/claude-renovate-review