Allow renovate and dependabot for Claude PR reviews

[stmh]

Add allowed_bots configuration to claude-code-review.yml to permit dependency update bots to trigger automated code reviews.

[claude]

Code Review

Summary

This PR adds the allowed_bots configuration to the Claude Code Review workflow, enabling automated reviews for pull requests created by Renovate and Dependabot.

✅ Positive Aspects

1. Strategic Value: Given that Renovate is actively configured in this repository (renovate.json) and has created multiple dependency update PRs (chore(deps): update rust crate sysinfo to 0.38 #691, chore(deps): update rust crate reqwest to 0.13.0 #656, fix(deps): update rust crate oauth2 to v5 #593, chore(deps): update rust crate init-tracing-opentelemetry to 0.34.0 #255), enabling automated reviews for bot PRs is practical and helpful.

2. Syntax: The configuration syntax is correct ('renovate,dependabot' as a comma-separated string).

3. Consistency: Aligns with the existing workflow's automation goals by extending review coverage to dependency updates.

4. Minimal Change: Single-line addition with clear intent - follows the principle of minimal, focused changes.

🤔 Considerations & Suggestions

1. Documentation: Consider adding a comment explaining why these bots are allowed, for future maintainers:

   # Allow dependency update bots to receive automated code reviews
   allowed_bots: 'renovate,dependabot'

2. Automerge Interaction: The renovate.json config includes automerge rules for patch updates (lines 111-117). Consider whether Claude reviews should block automerge, or if certain update types should bypass review entirely.

3. Review Value for Dependencies: Automated code reviews are most valuable for code changes. For dependency updates (especially lockfile-only changes), the review might be less actionable. Consider:

   • Does the review provide value for simple dependency bumps?
   • Should the workflow filter by file paths to exclude lockfile-only changes?
   • Would it be better to only review dependency PRs that include breaking changes?

4. Bot Naming: Verify the exact bot login names:

   • Renovate appears as app/renovate in your PR list
   • The action might expect just renovate or might need app/renovate
   • Testing with an actual bot PR would confirm the correct format

5. Rate Limiting: Multiple active Renovate PRs exist. If many are opened/synchronized simultaneously, this could trigger multiple Claude reviews. Ensure this aligns with your Claude Code API usage expectations.

🔒 Security & Best Practices

• Security: ✅ No security concerns - only extends review functionality
• Permissions: ✅ No permission changes needed
• Testing: Consider testing with an actual Renovate PR to verify the bot name matching works as expected

📝 Recommendation

LGTM with suggestions. The change is sound, but I recommend:

1. Test with an actual bot PR (e.g., chore(deps): update rust crate sysinfo to 0.38 #691) to confirm the bot name matching works
2. Add a clarifying comment
3. Consider whether all dependency PRs need automated review, or if you should add path filters

If the goal is to catch breaking changes in dependencies, this is a good addition. If lockfile-only updates are automerged anyway, you might want to refine the trigger conditions.

---

🤖 Automated review by Claude Code