Address review feedback on auto-fix-ci workflow robustness and security

[Copilot]

Addresses review comments on PR #28 regarding null safety, security, and code quality in the auto-fix-ci workflow.

Changes

Security

• Restrict Bash tool from git:* wildcard to explicit commands: git commit:*, git push:*, git status:*, git diff:*
• Properly quote claude_args parameter to prevent shell escaping issues

Null Safety

• Centralize PR number extraction in pr_check step with validation
• Add JSON.parse() error handling for step outputs
• Check for 'undefined' and 'null' string literals from GitHub Actions expressions

Code Quality

• Document magic numbers: 50000 char limit (Claude context window), 3-commit lookback (loop prevention)
• Replace template literals with array.join() for consistent comment formatting
• Remove unused git identity configuration (handled by Claude Code Action)
• Fix trailing whitespace

Example: Improved null safety

// Before
const prNumber = ${{ github.event.workflow_run.pull_requests[0].number }};

// After - validated once, reused everywhere
const pullRequests = ${{ toJSON(github.event.workflow_run.pull_requests) }};
if (!pullRequests || pullRequests.length === 0) {
  return { isOpen: false, prNumber: null };
}
// ...later steps use fromJSON(steps.pr_check.outputs.result).prNumber

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[github-actions]

Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Developer Certificate of Origin before we can accept your contribution. You can sign the DCO by just posting a Pull Request Comment same as the below format.

---

I have read the CLA Document and I hereby sign the CLA

---

_{You can retrigger this bot by commenting recheck in this Pull Request. Posted by the DCO Assistant Lite bot.}