Support workflow run to be able to auto-review PRs from forks

[lorenrh]

Related Issues

Summary

The auto-review job previously only triggered for same-repo PRs because fork PRs don't have access to secrets in the pull_request event context. This PR adds a two-stage handoff to enable auto-review for fork contributors who are org members.

How it works:

1. A new PR Review Trigger workflow runs on pull_request in the fork's context (no secrets needed). For fork PRs only, it saves the PR number as an artifact and completes.

2. Self PR Review (and the reusable review-pr.yml) listen for workflow_run completion. They download the artifact to recover the PR number, then run the full org membership check and review with secrets from the base repo
   context.

Changes:

• New pr-review-trigger.yml — lightweight trigger that saves PR metadata for fork PRs
• self-review-pr.yml — adds workflow_run trigger, actions: read permission, and a get-pr step that downloads the artifact; updated auto-review job condition excludes same-repo workflow_run events to avoid spurious runs
• review-pr.yml — adds workflow_run support to the reusable workflow's auto-review job; PR number resolved once in a dedicated get-pr step and threaded through via step outputs; ${{ }} expressions moved to env: in run: steps to prevent script injection

---

Tip

Comment /review to trigger the PR Reviewer agent for automated feedback.
Comment /describe to generate a PR description.

[lorenrh]

/review

[docker-agent]

Assessment: 🟡 NEEDS ATTENTION

Found 3 issues in the workflow_run implementation that should be addressed for robustness and defense-in-depth.

[derekmisler]

This workflow is only for this cagent-action repo, btw.

[lorenrh]

Yeah, but thought it would benefit from reviewing in forks (and make sure it works on it's own repo);