security: add persist-credentials false to checkout step

Prevent GITHUB_TOKEN from being stored in .git/config when
checking out PR code in pull_request_target workflows. This
is a security best practice to prevent untrusted code from
potentially accessing stored credentials.

While the Claude Code action doesn't execute arbitrary PR code,
this follows defense-in-depth security principles to minimize
attack surface when handling untrusted code from forks.

.github/workflows/claude-code-review.yml

@@ -33,6 +33,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Run Claude Code Review
         id: claude-review