* Switch dependency resolution workflow to push triggers

The previous fix in #23363 kept the workflow on `pull_request` and
filtered paths, but `pull_request` evaluates paths against the full
PR diff (three-dot). A PR that legitimately bumps a dependency has
`agent_requirements.in` in its diff forever, so every bot auto-commit
to `.deps/resolved/*` still retriggers the workflow — the loop never
breaks.

Switch to `push`, which evaluates paths against the push delta
(two-dot). The bot's publish commit only touches `.deps/resolved/*`,
which is not in the paths filter, so it cannot retrigger.

`branches-ignore` excludes master, 7.x release branches, and
merge-queue refs. The workflow is not a required status check for
the merge queue, so no `merge_group` trigger is needed.

Along the way:
- Concurrency group keyed on `github.ref` (push has no PR number).
- Drop the fork check on the `test` job (push doesn't fire for forks).
- Replace the `git diff` builder-change detection with
  `dorny/paths-filter`, which handles push/PR diff bases natively
  and matches the pattern already used in `pr-quick-check.yml`.
- Publish job checks out `github.ref_name` instead of `github.head_ref`.

* Update dependency resolution

* Gate builder rebuilds on a content hash of their inputs

Codex flagged that the previous builder-change detection — whether the
old `git diff origin/$base_ref...HEAD -- .builders/` or the
`dorny/paths-filter` replacement in this PR — compares against the
repository default branch on push events, which incorrectly handles
7.x backport branches. A backport whose target is 7.x can report
`builder_changed=false` when its `.builders/` differs from master
but matches its actual target.

Replace the git-diff heuristic with a direct content hash: compute a
sha256 of the inputs that determine each builder image from the
working tree, and compare to a value pinned in
.deps/builder_inputs.toml. This answers the semantically correct
question ("does the current tree produce a different image than the
one pinned?") and is immune to base-branch guessing, rebases, and
backport flows.

- .builders/inputs_hash.py: `compute <target>` / `pinned <target>`.
- .deps/builder_inputs.toml: pinned hashes, rewritten by upload.py.
- .builders/upload.py: writes builder_inputs.toml alongside
  image_digests.json; reads per-target `inputs_sha256` files from
  the workflow output directory.
- Workflow: replaces the paths-filter step with the hash comparison
  and stamps `inputs_sha256` next to `image_digest` so upload.py can
  persist it.

* some doxx

* Update dependency resolution

* Make the builder inputs hash OS-agnostic and visible in CI logs

The first CI run on this PR rebuilt only the Windows image even
though .builders/ was unchanged. The Linux runners computed the
same hash as my local macOS backfill, but the Windows runner did
not, so the gate mistakenly declared a change.

Most likely cause: actions/checkout on the Windows runner materializes
text files with CRLF despite `.gitattributes` specifying `eol=lf`.
Normalize by stripping all `\r` bytes before hashing so the hash is
invariant across OSes and checkout configurations. Revert the Windows
pinned value to the normalized one so the next push doesn't force
another rebuild.

Also echo the current and pinned hashes plus the decision, so the
reason a rebuild did or didn't happen is visible in the run log
rather than being hidden behind $GITHUB_OUTPUT.

* Sort hash inputs by POSIX path string, not Path object

Codex correctly identified why the Windows image rebuilt on the first
run: sorting `Path` objects yields host-dependent order. WindowsPath's
comparison is case-insensitive and uses backslashes, so on the Windows
runner `Dockerfile` and `build_script.ps1` sorted in the opposite order
from macOS/Linux. Feeding the same bytes through the hash in a
different order produces a different digest.

Simulated the Windows sort order locally and reproduced the exact
24b218ce… hash CI computed — confirms this, not line endings, is
the cause. Sort by the normalized POSIX path string instead so the
iteration order is invariant across hosts.

* Update dependency resolution

* Harden inputs_hash.py against silent drift and dev/CI divergence

- Warn when a COMMON_INPUTS entry matches zero files (catches typos/renames).
- Ignore dotfiles and __pycache__ in _iter_files so stray local artifacts
  (editor metadata, cached bytecode) don't change the hash off-CI. Keep
  .gitkeep since it's intentional placeholder content.
- Wrap tomllib.load with a RuntimeError that names the file, since
  builder_inputs.toml is explicitly not for hand-edits.
- Warn when the pinned file exists but has no entry for the target, so a
  rebuild in that case has a debuggable breadcrumb instead of silently
  looking like a first-run.
- Add Iterator[Path] return annotation on _iter_files.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: dd-agent-integrations-bot[bot] <dd-agent-integrations-bot[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>