Fix GitHub token handling

[tarmojussila]

This pull request updates the GitHub Action workflow and documentation to improve clarity and ensure compatibility with the latest versions of the Z.ai code review action. The most important changes include renaming the workflow file, updating action versions, and enhancing documentation for easier setup.

Workflow and Action Version Updates:

• Renamed the workflow file from .github/workflows/ai-review.yml to .github/workflows/code-review.yml for clearer naming and consistency in documentation.
• Updated the Z.ai code review action version in the workflow file from main to v0.1.0, ensuring stable and versioned usage.

Documentation Improvements:

• Revised the README to reference the new workflow file name and improved example configuration, making setup instructions more accurate and user-friendly.

Configuration Enhancement:

• Added a default value for the GITHUB_TOKEN input in action.yml, simplifying usage and reducing potential configuration errors.

[github-actions]

Z.ai Code Review

Bugs & Logic Errors

1. Invalid Default Syntax in action.yml

   • Issue: You cannot use ${{ github.token }} as a default value in action.yml. The default property expects a static string or boolean and does not support runtime context interpolation.
   • Impact: The action will likely receive the literal string "${{ github.token }}" instead of the actual secret, breaking API access.
   • Fix: Remove the default from action.yml. Instead, handle the fallback logic inside your Node.js code (dist/index.js) by checking process.env.GITHUB_TOKEN or github.context.token if the input is empty.

2. Potential Missing Token in Internal Workflow

   • Issue: In .github/workflows/code-review.yml, you are updating the version to @bugfix/github-token-handling, but you are not explicitly passing GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} in the with: block.
   • Impact: Since the action.yml default is invalid (see point Add test sample and use local action for testing #1), this workflow will likely execute without a token, failing to post comments or read PR data.

Improvements & Best Practices

1. Pin Action Version in README

   • Issue: The README.md example instructs users to use tarmojussila/zai-code-review@main.
   • Impact: Using the @main branch is dangerous for production environments because future commits to main could break the user's workflow unexpectedly.
   • Fix: Recommend users pin to a specific release tag (e.g., @v1.0.0) or a commit SHA in the documentation.

2. Workflow Cleanup

   • Ensure that .github/workflows/code-review.yml is updated back to a stable branch reference (e.g., @main or a tag) once the bugfix/github-token-handling branch is merged and verified. Using a feature branch name in a workflow creates dependency debt.