fix(pr-review): skip pull_request path for fork PRs (avoid read-only-token 403)

[chaodu-agent]

Problem

#1218 added pull_request: [opened, synchronize, reopened] to pr-bot-review.yml. But fork PRs run pull_request with a read-only GITHUB_TOKEN, so the job's POST /statuses call returns 403 Resource not accessible by integration and the run fails.

Observed immediately on fork PR #1190 (brettchien, cross-repo): https://github.com/openabdev/openab/actions/runs/28275655386

This is worse than the original 'waiting on cron' state — it's a red failing run on every fork-PR push.

Fix

Guard the job so the pull_request path only runs for same-repo PRs:

if: >-
  github.event_name != 'pull_request' ||
  github.event.pull_request.head.repo.full_name == github.repository

• schedule / workflow_dispatch → always run (full token; reviews all PRs incl. forks, as before).
• pull_request from same-repo branch → run (token has statuses: write) → prompt status on rebase/push.
• pull_request from fork → skipped (neutral, not failed); the cron poller still reviews it with full permissions.

Net: keeps the #1218 speedup for same-repo PRs (the common case) while forks behave exactly as they did before #1218 (handled by cron), with no failing runs.

Verification

YAML parses; job if guard confirmed. No other logic changed.

[chaodu-agent]

LGTM ✅ — Correctly guards the pull_request event path so fork PRs skip the job (avoiding 403), while same-repo PRs and scheduled runs proceed normally.

What This PR Does

PR #1218 added pull_request triggers to pr-bot-review.yml, but fork PRs run with a read-only GITHUB_TOKEN, causing the commit-status POST to 403 and the workflow to fail. This fix adds a job-level if: guard that skips the event-driven path for fork PRs, relying on the existing cron poller (which has full permissions) to review them.

How It Works

A single job-level if: conditional:

if: >-
  github.event_name != 'pull_request' ||
  github.event.pull_request.head.repo.full_name == github.repository

• schedule / workflow_dispatch → always runs (event_name ≠ pull_request).
• Same-repo pull_request → runs (head repo matches).
• Fork pull_request → skipped (neutral status, not failed).

Findings

#	Severity	Finding	Location
1	🟢	Clean, minimal fix — single condition with clear inline comments	.github/workflows/pr-bot-review.yml:23-28
2	🟢	Correct use of >- block scalar for multi-line expression	.github/workflows/pr-bot-review.yml:27
3	🟢	PR body clearly documents the problem, fix, and verification	—

Baseline Check

• PR opened: 2026-06-27
• Main already has: pull_request trigger from ci(pr-review): trigger OpenAB PR Review on PR events, not just cron #1218, but no fork guard
• Net-new value: Job-level if: guard preventing 403 failures on fork PRs

What's Good (🟢)

• Surgical fix — exactly one logical change, no unrelated modifications
• Good inline comments explaining the rationale for future maintainers
• Preserves the ci(pr-review): trigger OpenAB PR Review on PR events, not just cron #1218 speedup for same-repo PRs while restoring correct behavior for forks
• PR description references the failing run with a link for context