[STG-1518] Add Github Action that allows claiming external contributor PRs to run CI with secrets

[pirate]

why

• External contributor PRs currently fail CI because they cant run with secrets
• We dont want to allow them to run with secrets until a team member "claims" them and reviews for any secrets exfiltration / sketchy code
• Once claimed, we want to run the full CI suite with secrets

what changed

test plan

---

Summary by cubic

Adds two GitHub Actions that let maintainers claim external contributor PRs by mirroring the approved head SHA to a maintainer-owned branch so full CI can run with secrets. Claims come from an approving review by a team member with write access on the latest commit and are auto-invalidated on new commits (Linear STG-1518).

• New Features

  • Detects forked PRs and posts claim instructions; manages labels: external-contributor, external-contributor:awaiting-approval, external-contributor:mirrored, external-contributor:stale, external-contributor:completed.
  • On approving review of the latest commit, verifies reviewer permission, mirrors that exact SHA to external-contributor-pr-<PR#>-<12sha>, and creates/reopens a “[Claimed #X]” PR assigned to the approver.
  • Closes and links the original PR with marker comments; keeps labels/status in sync on both PRs.
  • Auto-closes the mirror when new commits land on the external PR and comments with next steps; if the mirror closes without merge, reopens and relabels the original PR; if the external PR is reopened with the same approved SHA while the mirror is open, it is closed again to keep discussion on the mirror.
  • Implemented via external-contributor-pr-approval-handoff.yml (captures approved reviews, uploads artifact) and external-contributor-pr.yml (consumes artifact, performs mirroring); uses actions/github-script@v7, actions/create-github-app-token@v1, actions/checkout@v4, actions/download-artifact@v4, actions/upload-artifact@v4; concurrency scoped per PR/workflow run.

• Migration

  • Create a GitHub App with contents:write, pull_requests:write, and issues:write; add EXTERNAL_CONTRIBUTOR_PR_APP_ID and EXTERNAL_CONTRIBUTOR_PR_APP_PRIVATE_KEY secrets.
  • To claim: submit an approving review on the latest commit of a forked PR. If new commits are pushed, approve again to re-claim and rerun CI.

^{Written for commit 4875e99. Summary will update on new commits. Review in cubic}