Avoid PR head checkout and add prompt profiles

[gontzess]

Why

The PR review workflow runs under pull_request_target so it can comment on PRs. Checking out PR head code before the secret-backed review step lets untrusted PR content influence the review environment.

This intentionally keeps pull_request_target. The workflow needs base-repo privileges to use the org review secret and post PR comments/reviews. The safety boundary is that pull_request_target must run only trusted workflow/base-repo code, while PR head code is treated as review data.

This PR removes that trust-boundary issue while keeping the review behavior developers rely on: incremental reviews, deduplication of prior findings, inline comments, and review verdicts. It also brings this workflow to parity with the ductone review flow.

What this changes

Security boundary:

This replaces the inline review steps with a composite review action that fetches trusted PR context through the GitHub API. The workflow checks out only the PR base commit with persisted credentials disabled, then the action computes review mode from bot-authored state and GitHub compare data.

After this change, the secret-backed job no longer checks out or executes PR head files. PR contents enter the job as GitHub API responses for the reviewer to inspect, not as code on disk that can affect the runner environment.

The action now scopes review state and concurrency by github.workflow_ref, ignores human-authored review-state markers, updates only summary comments owned by the same workflow ref, falls back to full review on unsafe compare states, rechecks the PR head before posting, and uploads review context artifacts for debugging.

Prompt/profile changes:

The connector-specific prompt remains the default, which preserves required-workflow/ruleset behavior for connector repos. Repos that need the previous broad security/correctness prompt can opt into general with PR_REVIEW_PROMPT=general or by passing review_prompt: general when calling the reusable workflow.

The connector prompt keeps the existing connector review criteria while using the same trusted state and incremental-review plumbing as the general prompt. The general prompt is structured for SDK and shared-library repos where the change may affect connector-facing contracts without being a connector implementation.

Validation

• YAML parse for workflow and composite action
• Python compile for review scripts
• git diff --check
• Private connector canary: first full review
• Private connector canary: normal incremental commit
• Private connector canary: stacked incremental commits
• Private connector canary: force-push rewrite fell back to full
• Private connector canary: same-SHA rerun fell back to full on identical
• Private connector canary: manual dispatch state stayed separate from PR-triggered state
• Security cross-review found no blockers for the original PR-head checkout threat