fix: specify ref, add timeout and continue-on-error

[zfarrell]

Adds ref: main to cross-repo checkout to skip default branch lookup, 15min timeout, and continue-on-error on the claude step so API failures don't block PRs.

[claude]

With continue-on-error: true, failures in the Claude step are silently swallowed — an expired API key or persistent outage would stop reviews from happening with no signal to the team. Consider adding a follow-up step that posts a PR comment when this step fails:

      - if: failure()
        run: gh pr comment ${{ github.event.pull_request.number }} --body "⚠️ Automated review unavailable (Claude step failed). Please review manually."
        env:
          GH_TOKEN: ${{ github.token }}

Non-blocking suggestion — the resilience intent is sound.

[claude]

The steps.review.outcome == 'cancelled' check is unreachable as written. When a job is cancelled, subsequent steps only run if the if: condition includes always(). Without it, this step is skipped entirely when the workflow is cancelled.

To actually catch the cancellation case:

Suggested change

	if: steps.review.outcome == 'failure' || steps.review.outcome == 'cancelled'
	if: always() && (steps.review.outcome == 'failure' || steps.review.outcome == 'cancelled')

[claude]

Minor: prefer passing the PR number via an env var rather than interpolating it inline into the shell command. pull_request.number is always an integer so there's no real injection risk here, but it's cleaner and consistent with GHA best practices.

Suggested change

	run: gh pr comment ${{ github.event.pull_request.number }} --body "Automated review unavailable (Claude step failed). Please review manually."
	run: gh pr comment "$PR_NUMBER" --body "Automated review unavailable (Claude step failed). Please review manually."

        env:
          GH_TOKEN: ${{ github.token }}
          PR_NUMBER: ${{ github.event.pull_request.number }}