Feature request: allow-bots should support specifying individual bot accounts

[Hirochon]

Feature Request

Problem

The current allow-bots input is a boolean that either allows all bots or blocks all bots. This makes it impossible to permit only specific trusted bots (e.g., dependabot[bot], renovate[bot]) while blocking unknown or untrusted bot accounts.

For comparison, anthropics/claude-code-action provides an allowed_bots parameter that accepts a comma-separated list of bot usernames:

allowed_bots: "dependabot[bot],renovate[bot]"

Current Workaround

The current workaround is to set allow-bots: true and add a job-level if condition to filter specific bots:

jobs:
  codex-review:
    if: |
      (github.event_name == 'pull_request' && (
        github.event.pull_request.user.type != 'Bot' ||
        contains(fromJSON('["dependabot[bot]","renovate[bot]"]'), github.event.pull_request.user.login)
      )) ||
      ...

This works but is verbose and error-prone compared to a built-in parameter.

Proposed Solution

Allow allow-bots to accept either:

• A boolean (true/false) for backwards compatibility
• A comma-separated list of bot usernames for granular control

Example:

allow-bots: "dependabot[bot],renovate[bot]"

This would align with the approach already taken by claude-code-action's allowed_bots parameter, providing a consistent pattern across GitHub Actions for AI code review.