chore(deps): update github actions

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Pending
anthropics/claude-code-action	action	patch	v1.0.89 → v1.0.101	v1.0.107 (+5)
koki-develop/claude-renovate-review	action	minor	v1.2.0 → v1.3.0

---

Release Notes

anthropics/claude-code-action (anthropics/claude-code-action)

v1.0.101

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.101

v1.0.100

Compare Source

What's Changed

• Upgrade Claude model from opus-4-6 to opus-4-7 by @​ashwin-ant in #​1227
• fix: pass install.sh binary path to Agent SDK after 0.2.113 bump by @​ashwin-ant in #​1235

Full Changelog: anthropics/claude-code-action@v1...v1.0.100

v1.0.99

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.99

v1.0.98

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.98

v1.0.97

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.97

v1.0.96

Compare Source

What's Changed

• fix: handle fork PRs by fetching via refs/pull/N/head by @​stakeswky in #​963

New Contributors

• @​stakeswky made their first contribution in #​963

Full Changelog: anthropics/claude-code-action@v1...v1.0.96

v1.0.95

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.95

v1.0.94

Compare Source

What's Changed

• Prepend system bin dirs to PATH when allowed_non_write_users is set by @​OctavianGuzu in #​1208

Full Changelog: anthropics/claude-code-action@v1...v1.0.94

v1.0.93

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.93

v1.0.92

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.92

v1.0.91

Compare Source

What's Changed

• Use pinned bun binary for post-steps when allowed_non_write_users is set by @​OctavianGuzu in #​1190

Full Changelog: anthropics/claude-code-action@v1...v1.0.91

v1.0.90

Compare Source

What's Changed

• fix: forward MCP_TIMEOUT, MCP_TOOL_TIMEOUT, MAX_MCP_OUTPUT_TOKENS to action step by @​qozle in #​1162
• security: reject PATH_TO_CLAUDE_CODE_EXECUTABLE with control characters by @​qozle in #​1185

Full Changelog: anthropics/claude-code-action@v1...v1.0.90

koki-develop/claude-renovate-review (koki-develop/claude-renovate-review)

v1.3.0

Compare Source

Features

• broaden release content investigation to reference all available resources (17186bb)

Bug Fixes

• deps: update anthropics/claude-code-action action to v1.0.33 (#​35) (1e2dcba)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

anthropics/claude-code-action (v1.0.89 → v1.0.101)

Key Improvements:

• Model Upgrade: Claude model upgraded from opus-4-6 to opus-4-7 (v1.0.100)
• Fork PR Support: Fixed handling of fork PRs by fetching via refs/pull/N/head (v1.0.96)
• MCP Configuration: Fixed MCP_TIMEOUT, MCP_TOOL_TIMEOUT, MAX_MCP_OUTPUT_TOKENS environment variable forwarding (v1.0.90)

Security Fixes:

• PATH Injection Prevention: Rejects PATH_TO_CLAUDE_CODE_EXECUTABLE with control characters to prevent PATH injection attacks (v1.0.90)
• System Binary Resolution: Prepends system bin directories to PATH when allowed_non_write_users is set (v1.0.94)

Internal Improvements:

• Agent SDK bumped from 0.2.94 to 0.2.114
• Claude Code bumped from 2.1.94 to 2.1.114
• Fixed binary path resolution for Agent SDK 0.2.113+ which dropped vendor/ripgrep
• Bun binary pinning for post-steps when allowed_non_write_users is set

Backward Compatibility:

• All inputs and outputs remain unchanged
• No breaking API changes
• All existing workflow configurations remain valid

koki-develop/claude-renovate-review (v1.2.0 → v1.3.0)

Key Improvements:

• Enhanced Investigation: Broadened release content investigation to reference all available resources (changelog, migration guides, documentation, issues, discussions, PRs, source code diffs)

Internal Updates:

• Updated anthropics/claude-code-action dependency to v1.0.33
• Updated actions/checkout to v6.0.2

Backward Compatibility:

• All inputs and outputs remain unchanged
• No breaking API changes

🎯 Impact Scope Investigation

Usage Analysis:

• Both actions are used exclusively in .github/workflows/ci.yml
• No configuration files or environment dependencies beyond secrets
• Current workflow uses standard inputs that are fully compatible with new versions

Workflow Configuration:

1. renovate-review job (line 95):

   • Uses: koki-develop/claude-renovate-review@v1.3.0
   • Inputs: claude-code-oauth-token, allowed-tools
   • Outputs: safety-assessment (consumed by gate step)
   • Status: ✅ All inputs/outputs compatible

2. code-review job (line 134):

   • Uses: anthropics/claude-code-action@v1.0.101
   • Inputs: claude_code_oauth_token, allowed_bots, use_sticky_comment, prompt, claude_args
   • Status: ✅ All inputs compatible

Dependencies:

• No changes to required secrets (CLAUDE_CODE_OAUTH_TOKEN remains the only required secret)
• No changes to repository permissions or GitHub token requirements
• No changes to Node.js, pnpm, or other runtime dependencies

💡 Recommended Actions

1. Immediate Merge: This PR is safe to merge without any code changes
2. Benefits:
   • Improved AI model (opus-4-7) for better code review quality
   • Enhanced security against PATH injection attacks
   • Better fork PR handling for external contributors
   • More comprehensive Renovate review investigations
3. Testing: The changes are internal to the actions and will be validated automatically by the CI workflow itself when this PR runs

🔗 Reference Links

• claude-code-action v1.0.100 Release - Model upgrade to opus-4-7
• claude-code-action v1.0.96 Release - Fork PR support
• claude-code-action v1.0.90 Release - Security and MCP fixes
• claude-renovate-review v1.3.0 Release - Enhanced investigation
• Security Fix PR #1185 - PATH injection prevention
• MCP Environment Fix PR #1162 - MCP timeout configuration
• Fork PR Fix PR #963 - Cross-repository PR handling

Generated by koki-develop/claude-renovate-review