fix: Inline setup-bot composite action into bot workflows

[rwalworth]

Summary

This PR fixes a chicken-and-egg failure in the three bot workflows (on-pr, on-commit,
on-comment) where the local composite action .github/actions/setup-bot could not be
resolved because pull_request_target does not automatically check out the repository.

Key Changes:

• Inline the harden-runner and checkout steps directly into each bot workflow
• Delete the now-unused .github/actions/setup-bot/ composite action

---

Motivation

The bot workflows use pull_request_target (and issue_comment) triggers with a write
token, and deliberately check out only the default branch to avoid running untrusted PR
code. The checkout was encapsulated in a local composite action at
.github/actions/setup-bot/action.yml.

However, pull_request_target does not automatically check out the repository when a job
starts. GitHub Actions needs the composite action file on disk to even begin executing it,
creating an unresolvable dependency: the action that performs the checkout cannot itself be
loaded without a prior checkout.

This caused every bot workflow run to fail immediately with:

Can't find 'action.yml', 'action.yaml' or 'Dockerfile' under
'.github/actions/setup-bot'. Did you forget to run actions/checkout
before running your local action?

---

Changes

Workflow Inlining

In each of the three bot workflows, the single Setup Bot Environment step:

- name: Setup Bot Environment
  uses: ./.github/actions/setup-bot

was replaced with the two steps it contained:

- name: Harden Runner
  uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
  with:
    egress-policy: audit

- name: Checkout Repository
  uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
  with:
    ref: ${{ github.event.repository.default_branch }}

Both action pins (SHA and version comment) are preserved exactly as they were in the
composite action.

Comment Cleanup

The header comment in on-comment.yaml referenced the old composite action and was
updated to reflect the new inline approach.

Composite Action Removal

.github/actions/setup-bot/action.yml was deleted since it is no longer referenced
by any workflow.

---

Testing

• Verify zxc-test-bot-scripts.yaml does not reference setup-bot (it already inlines its own steps)
• Verify no other workflow or action references .github/actions/setup-bot
• Confirm all three modified workflows use identical action SHAs and versions as the deleted composite action
• CI checks pass on the PR

---

Files Changed Summary

Category	Files	Notes
Modified	.github/workflows/on-pr.yaml	Inlined harden-runner + checkout
Modified	.github/workflows/on-commit.yaml	Inlined harden-runner + checkout
Modified	.github/workflows/on-comment.yaml	Inlined harden-runner + checkout, updated header comment
Removed	.github/actions/setup-bot/action.yml	No longer needed

---

Breaking Changes

None. All workflow triggers, permissions, concurrency groups, and bot script invocations
remain unchanged. The only difference is that the harden-runner and checkout steps are now
defined directly in each workflow instead of being referenced through a composite action.