feat: add allowed tools and permissions for Claude fixer

- Added claude_args to restrict tools to: npm, git, gh pr commands, Read, Edit, Write, Grep, Glob
- Added actions: read permission to allow Claude to check CI results
- Added additional_permissions parameter for Claude Code Action

This ensures Claude has the necessary tools to:
- Run npm install and npm test
- Make git commits with fixes
- Query PR information via gh CLI
- Read/edit/write files for code fixes

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Signed-off-by: Lars Trieloff <[email protected]>

Author: claude

.github/workflows/claude-renovate-fixer.yaml

@@ -9,6 +9,7 @@ permissions:
   pull-requests: write
   issues: write
   id-token: write
+  actions: read  # Allow reading CI results
 
 jobs:
   claude-fix:
@@ -23,6 +24,9 @@ jobs:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
           github_token: ${{ secrets.ADOBE_BOT_GITHUB_TOKEN }}
           allowed_bots: "renovate"
+          additional_permissions: |
+            actions: read
+          claude_args: '--allowed-tools "Bash(npm:*),Bash(git:*),Bash(gh pr:*),Read,Edit,Write,Grep,Glob"'
           prompt: |
             You are helping to automatically fix issues in Renovate dependency update PRs for the helix-cli project.