fix: bump browserslist-useragent-regexp from 4.1.3 to 4.1.4

.claude/skills/review-dependency-upgrade/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: review-dependency-upgrade
 description: Use this skill when the user asks to review, evaluate, or assess a dependency upgrade — e.g. "review this upgrade", "is bumping X from a.b.c to x.y.z safe?", "what breaks if I upgrade <pkg>?", "check this package bump". Covers pnpm/npm packages and github-actions. Researches breaking changes for every intermediate version and reports which ones actually impact the user's codebase. Also runs unattended on Dependabot PRs via GitHub Actions — no human in the loop.
-version: 0.2.0
+version: 0.2.1
 ---
 
 # Review Dependency Upgrade
@@ -21,7 +21,8 @@ When **not** in unattended mode (e.g. interactive chat), you may ask the user fo
 - **Never ask the user for clarification, confirmation, or approval.** Not in chat, not as a PR comment question.
 - **Never pause or offer choices** ("which PR?", "focus on one major?", "shall I continue?"). Decide and proceed.
 - **Never modify the repo** — review and comment only (see Guidelines).
-- **Always post the report** as a PR comment in unattended mode (see step 5).
+- **Always post the report** as a PR comment in unattended mode (see step 5) — including when the verdict is `SAFE`, when the breaking-changes table is empty, and when you could not infer the upgrade target.
+- **Posting is the final mandatory step.** Do not end the session after writing the report to stdout/logs only. A successful review with no PR comment is a failed run.
 
 ## Inputs to resolve
 
@@ -122,10 +123,22 @@ Rules for the table:
 
 Keep it tight. The report should answer: _does this upgrade break my code, and if so, where?_ Don't pad with general advice or upgrade-process boilerplate.
 
+**Zero breaking changes:** If research finds no documented breaking changes between `from` and `to`, still post the full report with verdict `SAFE` and exactly one table row:
+
+| — | No documented breaking changes between \<from\> and \<to\> | Safe | — | — |
+
+Do not skip posting because "there is nothing to say".
+
 ### 5. Post to GitHub PR
 
 In **unattended mode**, always post the report as a PR comment and echo it in the action output. In interactive mode, post when a PR is associated with the review (see below); otherwise deliver the report in chat only.
 
+**Use only CI-allowed tools for posting:**
+
+- Write the report body with the `Write` tool to `/tmp/dep-review-<pkg>.md` — do not use `Bash` to create the file.
+- Resolve PR metadata with `gh pr view` or `Read` on `$GITHUB_EVENT_PATH` — do not `cat` env files via `Bash`.
+- Post with `gh pr comment <number> --body-file /tmp/dep-review-<pkg>.md` and confirm exit code 0.
+
 **Resolve the PR** (no user prompts in unattended mode):
 
 1. `gh pr view --json number,url,headRefName,title,state` on the current branch.
@@ -141,12 +154,21 @@ gh pr comment <number> --body-file <tmpfile>
 
 Write the report body to a temp file first (e.g. via `Write` to `/tmp/dep-review-<pkg>.md`) rather than passing the entire body as a `--body` argument — this avoids shell-escaping issues with the markdown table.
 
-If `gh` is unavailable or unauthenticated, output the report to the action log and exit without failing.
+If `gh pr comment` fails (non-zero exit, permission denied, or auth error), retry once with a fresh `/tmp/` file. If it still fails, output the full report to the action log with a prominent `## POST FAILED` header including the `gh` stderr — do not treat the run as complete.
 
 **Skip posting only when:**
 
 - The PR is closed or merged — output the report to the action log and note the PR state in the log.
 
+### 6. Completion gate (unattended mode only)
+
+Before ending, verify one of:
+
+- ✅ `gh pr comment` succeeded (exit code 0), or
+- ✅ PR is closed/merged and you logged why posting was skipped.
+
+If neither is true, you are not done — go back to step 5.
+
 ## Guidelines
 
 - **Don't run the upgrade.** This skill reviews; it does not modify `package.json`, `pnpm-lock.yaml`, workflow files, or install packages.

.github/workflows/claude_review_dependabot.yml

@@ -32,31 +32,37 @@ jobs:
           fetch-depth: 0
 
       # Headless CI cannot answer permission prompts — pre-allow everything the
-      # review-dependency-upgrade skill needs (web research, /tmp report, gh).
+      # review-dependency-upgrade skill needs (web research, codebase search, gh).
       - name: Run Claude Code Action (review)
         uses: anthropics/claude-code-action@64de744025ca9e24df2b88204b4f1e968f39f009 # v1.0.139
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          github_token: ${{ github.token }}
+          track_progress: ${{ github.event.action == 'opened' }} # track_progress only supports opened/synchronize/ready_for_review/reopened
           allowed_bots: dependabot[bot]
           prompt: /review-dependency-upgrade
           claude_args: |
             --model claude-sonnet-4-6
             --allowedTools "WebFetch"
             --allowedTools "WebSearch"
+            --allowedTools "Read"
+            --allowedTools "Glob"
+            --allowedTools "Grep"
             --allowedTools "Write(/tmp/**)"
-            --allowedTools "Bash(gh pr view:*)"
-            --allowedTools "Bash(gh pr diff:*)"
-            --allowedTools "Bash(gh pr comment:*)"
+            --allowedTools "Bash(gh pr:*)"
+            --allowedTools "Bash(git diff:*)"
           settings: |
             {
               "permissions": {
                 "allow": [
                   "WebFetch",
                   "WebSearch",
+                  "Read",
+                  "Glob",
+                  "Grep",
                   "Write(/tmp/**)",
-                  "Bash(gh pr view:*)",
-                  "Bash(gh pr diff:*)",
-                  "Bash(gh pr comment:*)"
+                  "Bash(gh pr:*)",
+                  "Bash(git diff:*)"
                 ]
               }
             }