refactor(ci): migrate security fix agent to claude-code-action

[peppescg]

Summary

• Replace direct claude CLI invocation (npm install -g @anthropic-ai/claude-code + claude -p) with anthropics/claude-code-action GitHub Action in the security fix agent workflow
• Matches the pattern already used by the bug fix agent workflow
• Add proper job-level permissions and timeout-minutes
• Add continue-on-error and conditional gating between phases

Changes

• Removed: Install Claude Code step (no more global npm install)
• Converted: Phase 1 (Opus) and Phase 2 (Sonnet) to use anthropics/claude-code-action@v1
• Added: permissions block (contents: write, pull-requests: write, issues: write, id-token: write)
• Added: timeout-minutes: 45
• Added: continue-on-error: true on both phases with conditional gating (Phase 2 only runs if Phase 1 succeeds)
• Added: Bash(pnpm run test:nonInteractive *), Bash(pnpm run lint), Bash(pnpm run type-check) to Phase 2 allowed tools

Test plan

• Verify workflow YAML is valid (no syntax errors)
• Trigger a manual workflow_dispatch of the security fix cron to confirm the agent runs correctly
• Confirm the action picks up ANTHROPIC_API_KEY and runs both phases

🤖 Generated with Claude Code

[Copilot]

Pull request overview

Migrates the “security fix agent” workflow from a direct claude CLI invocation to the pinned anthropics/claude-code-action@v1 pattern already used elsewhere in CI, and adds job safeguards/controls for reliability and permissions.

Changes:

• Replaces global npm install -g @anthropic-ai/claude-code + claude -p execution with anthropics/claude-code-action@v1 for Phase 1 (Opus) and Phase 2 (Sonnet).
• Adds job-level timeout-minutes and explicit permissions for repo/PR/issue operations.
• Adds continue-on-error and gates Phase 2 (and downstream “Check for changes”) on Phase 1/2 success.

[samuv]

🚀