claude-code-review: allow the github-actions bot to dispatch reviews

[d-morrison]

Why

On #34, the latest push got no review. Root cause, traced through the run logs:

1. The push (an @claude "Address PR Add reusable PR-preview/publish workflow family #34 review" commit) triggered two reviews in the same concurrency group claude-review-34:
   • the automatic pull_request / synchronize review (run #84), and
   • claude.yml's explicit workflow_dispatch re-dispatch (run #85), kicked off by gh workflow run as github-actions[bot].
2. The review workflow's concurrency is keyed only on PR number with cancel-in-progress: true, so run #85 entering the group cancelled the in-progress run #84 (which had been doing the actual review).
3. Run #85 — the survivor that should have posted the review — then failed in ~6s at the action's actor gate:

   Workflow initiated by non-human actor: github-actions (type: Bot). Add bot to allowed_bots list or use '*' to allow all bots.

claude-code-action's agent mode (which workflow_dispatch uses, since track_progress is false for dispatched runs) blocks bot actors by default, and claude-code-review.yml never set allowed_bots. So every bot-dispatched review failed this gate — and on the way out, cancelled the parallel auto-review. Net: no review on the push.

What

• Fix: set allowed_bots: 'github-actions[bot]' on the Run Claude Code Review step. This is the input the error message points at; the matcher lowercases and strips [bot] from both sides, so this value matches the github-actions[bot] dispatcher. Scoped to the one bot that legitimately dispatches us — the job if: already filters bot actors out of the automatic pull_request path, and the dispatch path is only reachable via claude.yml's trusted-author gate (or a manual dispatch needing write access).
• Accuracy: corrected the "Review canceled" note and the concurrency/cancel comments, which blamed cancellations solely on "a newer commit" — a re-dispatched review of the same PR supersedes a running one too.
• CHANGELOG: recorded under Unreleased → Fixed.

With allowed_bots in place, a push that fires both triggers resolves cleanly: the later run posts the current review and the collapse/cancel steps fold the other as OUTDATED — one visible review per push.

Scope note

I deliberately did not try to suppress the double-trigger itself. The unconditional re-dispatch in claude.yml is intentional belt-and-suspenders: a GITHUB_TOKEN push (or a GitHub-App-token push) fires no usable synchronize, so the dispatch is the only review path in those cases. claude.yml can't reliably tell which token/sender produced the push, so suppressing the dispatch would risk dropping reviews entirely. Once the dispatched run can run (this PR), the existing per-PR concurrency dedupe does the right thing.

Testing

claude-code-review.yml isn't in _selftest.yml (it needs a live PR + the OAuth token) and this repo dogfoods it via @v1, so the change takes effect for this repo only once v1 is moved. YAML validated locally; edits are limited to one new input, comments, a message string, and the CHANGELOG.

🤖 Generated with Claude Code

---

Generated by Claude Code

[claude]

Claude finished @d-morrison's task in 3m 8s —— View job

---

Code Review — PR #36

• Read changed files
• Analyze changes
• Post findings

---

Verdict: LGTM. Both changes are correctly targeted, minimal in scope, and well-documented.

allowed_bots: 'github-actions[bot]' — .github/workflows/claude-code-review.yml:214

Fix is exactly right. The if: gate already prevents bot actors from entering via the pull_request path (github.event.sender.type != 'Bot' and !endsWith(github.actor, '[bot]')), so this input only widens the workflow_dispatch path — which is itself only reachable via claude.yml's trusted-author gate or a manual dispatch requiring write access. Scope is as tight as it can be.

The 13-line inline comment explaining the rationale is warranted here; the failure mode (dispatched run cancels the auto-review and then silently dies) is non-obvious and worth documenting at the call site.

Collapse step ungating — .github/workflows/claude-code-review.yml:232

Removing && github.event_name == 'pull_request' from the collapse condition is the correct follow-on: before this PR, dispatched runs always failed at the bot gate so the gap was moot; after this PR, a dispatched run that wins the concurrency race would leave earlier reviews un-folded without this change. The run_id → path matching in the shell loop is identical on dispatched runs — github.workflow_ref in a reusable-workflow context refers to the calling workflow, which is the same path gh api …/actions/runs/$RUN_ID --jq '.path' returns for prior runs of the same caller. No correctness issues.

The parenthetical at lines 228–230 correctly frames the residual: if agent mode omits the actions/runs/<id> link from the dispatched run's own comment body, that comment isn't matched and won't be folded on the next review. "Smaller residual than folding nothing" is the right trade-off statement.

Cancel-note wording — .github/workflows/claude-code-review.yml:281

Updated wording is more accurate than the old tautology ("superseded it — usually because a newer commit superseded it"). ✓

CHANGELOG — CHANGELOG.md:44–56

Both bullets are accurate and cover the two distinct changes (the allowed_bots fix and the collapse-step ungating). Prose is clear.

---

No blocking issues. The prior review's flagged gap (collapse step being pull_request-only) is addressed here.