Fix: claude-code-action tool permissions in agent_fix-obi workflow

[skl]

Problem

The agent_fix-obi workflow (used to auto-fix OBI submodule CI failures) was failing on PR #2548 because all Bash tool calls were being denied. The agent hit the 30-turn limit (error_max_turns) without making any progress.

Root Cause

Tool permissions were configured via --allowedTools in claude_args, but the Claude Code SDK's allowedTools parameter does not support Bash(X) pattern matching (e.g., Bash(gh), Bash(go)). The patterns were parsed into the SDK array but failed at runtime, causing all Bash calls to be rejected.

Solution

Moved tool permissions to the settings input where Claude Code's own permission system properly supports Bash(X) pattern matching. Also added mcp__github_file_ops MCP server permissions required for commit signing.

Testing

This fix enables the workflow to properly grant Bash tool access when triggered on future OBI submodule update PRs.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 48.68%. Comparing base (5608c61) to head (9dd632b).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2549   +/-   ##
=======================================
  Coverage   48.68%   48.68%           
=======================================
  Files          53       53           
  Lines        4028     4028           
=======================================
  Hits         1961     1961           
  Misses       1933     1933           
  Partials      134      134           

Flag	Coverage Δ
unittests	48.68% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.