Add code-review action and fix security-review comment posting

[taylordowns2000]

• Add issues:write permission to security-review (was preventing Claude
  from posting sticky comments via the issues API)
• Change fallback step to if: always() so a comment is guaranteed on
  every run, not just failures
• Add new code-review.yml workflow that invokes the /review skill via
  claude-code-action on every non-draft PR

https://claude.ai/code/session_018DKHSmTKWSyWR4iP4tPgcP

[github-actions]

Code Review

⚠️ The review completed but no findings comment was posted.

See the workflow run for the raw Claude output.

[github-actions]

Security Review

⚠️ Automated security review did not complete.

Claude hit the max-turns limit or encountered an error before posting findings.
A manual review of S0 (project-scoped data access), S1 (authorization policies),
and S2 (audit trail coverage) is recommended for this PR.

See the workflow run for details.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.62%. Comparing base (f8a1f0b) to head (068367d).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4638      +/-   ##
==========================================
- Coverage   89.63%   89.62%   -0.01%     
==========================================
  Files         444      444              
  Lines       21558    21558              
==========================================
- Hits        19324    19322       -2     
- Misses       2234     2236       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.