ci: Enable users without write action to the repo to access claude review

The labelling approach introduced in 6089075265765b43e6666e4d5978292a32501496
means contributors can now trigger the workflow on their own when the label
is added by a maintainer and they update the PR. Hence we need to allow all
users to access the claude code action. This is safe because we already gate
the workflow ourselves to only the contributors that we want to allow.
Additionally, the claude code job has no permissions anymore except read access
to the repository and can execute very limited tools, so this should be safe.

diff --git a/.github/workflows/claude-review.yml b/.github/workflows/claude-review.yml
index cf55bf612a400f78b557d200403af3a1d3fb4ee3..6368140ea00410a220c4deb691f4de6168ddf7b7 100644 (file)
--- a/.github/workflows/claude-review.yml
+++ b/.github/workflows/claude-review.yml
@@ -224,6 +224,11 @@ jobs:
           # Required by claude-code-action even though Claude itself doesn't
           # call the GitHub API — the action uses it for permission checks.
           github_token: ${{ secrets.GITHUB_TOKEN }}
+          # Safe because the workflow's `if` condition already restricts
+          # execution to trusted actors (MEMBER/OWNER/COLLABORATOR) or PRs
+          # that a trusted actor explicitly labeled, and this job only has
+          # read-only permissions.
+          allowed_non_write_users: "*"
           track_progress: false
           show_full_output: "true"
           claude_args: |