fix(claude-review): skip claude-code-action for dependabot/renovate PRs

[topcoder1]

Problem

claude-code-action@v1 crashes when invoked on a dependabot PR with:

```
Internal error: directory mismatch for directory
"/home/runner/work/_actions/anthropics/claude-code-action/v1/tsconfig.json", fd 4
```

Verified across #7, #8, #9 — 3/3 consecutive dependabot PRs, all FAILURE on `review / Claude Review`. Same action + same `@v1` succeeds on human-authored PRs (e.g. #11, #13, #15). The bug is specific to dependabot's restricted GITHUB_TOKEN scope, not the diff content.

Why "skip" not "fix"

Even when the action runs successfully on dep bumps, the value is low. Dependabot diffs are upstream version metadata, not project logic. Claude has no signal to add. The risk classifier still labels them (`risk:standard` / `risk:safe_deps`), and humans still see the diff at merge time. Skipping Claude review on bot-authored PRs is signal, not loss.

What this PR does

Adds a pre-check step that runs before `anthropics/claude-code-action@v1`:

```yaml

• name: Skip review for bot-authored PRs (dependabot/renovate)
  id: bot_check
  if: github.event.pull_request.user.login == 'dependabot[bot]' || ...renovate[bot]
  run: |
  gh pr comment "$PR" --body "Skipped: bot-authored PR ..."
  echo "skipped=true" >> "$GITHUB_OUTPUT"

• name: Claude Code Review
  if: ${{ steps.bot_check.outputs.skipped != 'true' }} # NEW
  uses: anthropics/claude-code-action@v1
  ```

The job stays green either way, so branch rulesets that require `review / Claude Review` are satisfied. Bot PRs get a one-line "Skipped" comment so reviewers know it ran.

After this lands

PRs #7, #8, #9 (the 3 stuck dependabot PRs in this repo) will turn green on next CI run and become eligible for the standard merge gate.

🤖 Generated with Claude Code

[claude]

Bug: skipped output never set if gh pr comment fails

With set -euo pipefail, if gh pr comment exits non-zero (transient error, rate-limit, or insufficient token permissions on a bot PR), the echo "skipped=true" line is never reached. Because Claude Code Review carries an explicit if: condition, GitHub Actions overrides the default success() guard and evaluates it anyway — '' != 'true' → true — so it runs on the bot PR and reproduces the original crash.

Fix: write the output before the comment, so the guard is set even when commenting fails.

Suggested change

	set -euo pipefail
	gh pr comment "$PR" --body "Skipped: bot-authored PR (\`$ACTOR\`). Dependency bumps are reviewed by the risk classifier and human merge gate."
	echo "skipped=true" >> "$GITHUB_OUTPUT"
	set -euo pipefail
	echo "skipped=true" >> "$GITHUB_OUTPUT"
	gh pr comment "$PR" --body "Skipped: bot-authored PR (\`$ACTOR\`). Dependency bumps are reviewed by the risk classifier and human merge gate."

[claude]

Flagged 1 issue inline — echo "skipped=true" must come before gh pr comment so the guard is set even when commenting fails; as written, a transient comment failure causes Claude Review to run on the bot PR and reproduce the original crash.