Add Squid proxy network restrictions for claude-code-action (#259)

* feat: add Squid proxy network restrictions to Claude workflow

Implements URL whitelisting for GitHub Actions to prevent unauthorized network access.
Only allows connections to:
- Claude API (anthropic.com)
- GitHub services
- Package registries (npm, bun)
- Azure blob storage for caching

Uses NO_PROXY for package registries to avoid integrity check issues.

* test: add network restrictions verification test

* test: simplify network restrictions test output

* refactor: make network restrictions opt-in and move to examples

- Removed network restrictions from .github/workflows/claude.yml
- Added network restrictions to examples/claude.yml as opt-in feature
- Changed from DISABLE_NETWORK_RESTRICTIONS to ENABLE_NETWORK_RESTRICTIONS
- Added support for CUSTOM_ALLOWED_DOMAINS repository variable
- Organized whitelist by provider (Anthropic, Bedrock, Vertex AI)
- Removed package registries from whitelist (already in NO_PROXY)

Users can now enable network restrictions by setting ENABLE_NETWORK_RESTRICTIONS=true
and configure additional domains via CUSTOM_ALLOWED_DOMAINS.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Minor bun format

* test: simplify network restrictions test

- Reduce to one allowed and one blocked domain
- Remove slow google.com test
- Fix TypeScript errors with AbortController
- Match test formatting conventions

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Move network restrictions to actions.yml + show custom domains in the examples folder

* Simplify network restrictions -- Move it to actions, remove extended examples in claude.yml and move them to readme

* Remove unnecessary network restrictions test and update readme + action.yml with no default domains and respective instructions in the readme

* Update README with common domains

* Give an example of network restriction in claude.yml

* Remove unnecesssary NO_PROXY as packages are installed beforehand

* Remove proxy example -- it's intuitive for users to figure it out

* Update potential EOF not being treated as a string issue

* update claude.yml to test

* Update example allowed_domains with tested domains for network restrictions

* change to experimental allowed domains and add `.blob.core.windows.net` to use cached bun isntall

* Update remaining allowed_domains references to experimental_allowed_domains

* Reset claude.yml to match origin/main

Remove network restrictions test changes from claude.yml

* Format README.md table alignment

Run bun format to fix table column alignment

---------

Co-authored-by: km-anthropic <km-anthropic@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>

examples/claude.yml

@@ -36,3 +36,12 @@ jobs:
           # Or use OAuth token instead:
           # claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
           timeout_minutes: "60"
+          # Optional: Restrict network access to specific domains only
+          # experimental_allowed_domains: |
+          #   .anthropic.com
+          #   .github.com
+          #   api.github.com
+          #   .githubusercontent.com
+          #   bun.sh
+          #   registry.npmjs.org
+          #   .blob.core.windows.net