fix: atomic restore write and pid-qualified temp file

.github/workflows/claude-review.yml

@@ -21,20 +21,36 @@ jobs:
       - uses: anthropics/claude-code-action@v1
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          use_sticky_comment: true
           prompt: |
             REPO: ${{ github.repository }}
             PR NUMBER: ${{ github.event.pull_request.number }}
 
-            Review this pull request as a senior Dart/Flutter engineer. Focus on:
-            - Correctness bugs and edge cases in the changed code
-            - API misuse and error-handling gaps
-            - Security issues (credential handling, injection, unsafe file I/O)
-            - Backwards compatibility for existing users of this package
+            Review this pull request as a senior Dart/Flutter engineer.
 
-            Use `gh pr comment` for overall feedback and
-            `mcp__github_inline_comment__create_inline_comment` (with confirmed: true)
-            for line-specific issues. Only post GitHub comments — do not submit
-            review text as plain messages. Be concise; skip pure style nits.
+            Classify every finding by severity and lead each one with its
+            label:
+            - **Critical** — bugs, broken behavior, data loss, security
+              flaws. Only Critical findings block merging.
+            - **Medium** — real but non-blocking improvements; the team may
+              table these as tracked follow-ups.
+            - **Low** — style, polish, minor hardening.
+
+            Before raising a finding, read the PR's existing comments and
+            review threads (`gh pr view <n> --comments`). Do not re-raise a
+            finding the author has already refuted or explicitly tabled
+            there unless you have new evidence. When claiming a control-flow
+            gap (e.g. a missing try/finally), read the entire enclosing
+            function first and cite the line numbers that demonstrate it.
+
+            Focus on correctness bugs and edge cases, API misuse,
+            error-handling gaps, security issues, and backwards
+            compatibility for existing users. Skip pure style nits.
+
+            Use `gh pr comment` for the summary and
+            `mcp__github_inline_comment__create_inline_comment` (with
+            confirmed: true) for line-specific issues. Only post GitHub
+            comments — do not submit review text as plain messages.
           claude_args: |
             --model claude-sonnet-4-6
             --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)"

lib/src/shared/android_baseline_yaml.dart

@@ -39,24 +39,31 @@ String? writeReleaseVersionToAndroidYaml(
   // Write to a temp file and rename over the original: a failed write
   // (disk full, permissions) can then never corrupt the config, and the
   // original error propagates without a doomed in-place rescue attempt.
-  final tempFile = File('$yamlPath.tmp');
+  _atomicWrite(yamlPath, content);
+  return originalContent;
+}
+
+void restoreAndroidYaml(
+  String originalContent, {
+  String yamlPath = kDefaultAndroidCodePushYamlPath,
+}) {
+  _atomicWrite(yamlPath, originalContent);
+}
+
+/// Writes [content] to [path] via a pid-qualified temp file and an atomic
+/// rename, so a failed or concurrent write can never leave the target
+/// truncated.
+void _atomicWrite(String path, String content) {
+  final tempFile = File('$path.$pid.tmp');
   try {
     tempFile.writeAsStringSync(content);
-    tempFile.renameSync(yamlPath);
+    tempFile.renameSync(path);
   } on FileSystemException {
     try {
       tempFile.deleteSync();
     } on FileSystemException {
-      // Best-effort cleanup; the original config is untouched either way.
+      // Best-effort cleanup; the target file is untouched either way.
     }
     rethrow;
   }
-  return originalContent;
-}
-
-void restoreAndroidYaml(
-  String originalContent, {
-  String yamlPath = kDefaultAndroidCodePushYamlPath,
-}) {
-  File(yamlPath).writeAsStringSync(originalContent);
 }