Document include_comments_by_actor and exclude_comments_by_actor in usage.md and security.md

[mmiermans]

Problem

include_comments_by_actor and exclude_comments_by_actor are defined in action.yml but missing from docs/usage.md, the primary configuration reference.

These parameters control which comment authors are included in Claude's prompt context. They're useful for:

1. Scoping input on public repos: include_comments_by_actor lets maintainers allowlist which users' comments are passed to Claude.
2. Reducing noise: exclude_comments_by_actor filters out bot comments (dependabot, renovate, CI) to save tokens and keep Claude focused.

Separately, docs/security.md has a "Prompt Injection Risks" section that covers hidden markdown in untrusted content, but doesn't mention comment filtering as an additional mitigation. Referencing include_comments_by_actor there would help users configuring the action for public repos.

Implemented in #812, tracked in #845, but neither doc was updated.

What's missing

docs/usage.md

• Both parameters in the Inputs table with descriptions, defaults, and wildcard support
• The precedence rule (exclusion wins when an actor matches both lists)
• An example showing the allowlist and/or bot-exclusion use case

docs/security.md

• Mention comment filtering alongside the existing hidden-markdown guidance
• Reference include_comments_by_actor as an option for public repos

Related

• Add actor-based comment filtering to reduce token usage and API costs #845 — feature request (closed)
• feat: add actor-based comment filtering to GitHub data fetching #812 — implementation PR
• Claude Review Biased by Outdated & Bot Comments, Ignores Current Code #590 — "Claude Review Biased by Outdated & Bot Comments" (predates the feature)