ci(security-review): set origin/HEAD so the bundled skill's git diff works (#1327)

The /security-review slash command runs `git diff origin/HEAD...` as its
first action to enumerate the PR's changes. actions/checkout doesn't set
up the remote's symbolic HEAD ref, so that command fails with
"ambiguous argument 'origin/HEAD...': unknown revision". Claude then
loops trying variants until --max-turns 30 trips and the action exits 1.

Set origin/HEAD to the PR's base ref right after checkout so the skill's
git invocations resolve correctly. Run #26186045056 on PR #1321 was the
trigger - 30 turns spent on shell-error recovery, no findings posted.

Author: tejaskash

.github/workflows/pr-security-review.yml

@@ -167,6 +167,19 @@ jobs:
           # the base branch locally too. fetch-depth: 0 grabs the full history.
           fetch-depth: 0
 
+      - name: Set origin/HEAD for /security-review skill
+        env:
+          BASE_REF: ${{ steps.pr.outputs.base_ref }}
+        run: |
+          set -euo pipefail
+          # actions/checkout doesn't set up the remote's symbolic HEAD ref, so
+          # `git diff origin/HEAD...` (the first command the bundled
+          # /security-review skill runs) fails with "ambiguous argument
+          # 'origin/HEAD...': unknown revision". Point origin/HEAD at the PR's
+          # base branch so the skill resolves the diff against the right ref.
+          git remote set-head origin "$BASE_REF"
+          git symbolic-ref refs/remotes/origin/HEAD
+
       - name: Configure AWS credentials (OIDC)
         uses: aws-actions/configure-aws-credentials@v6
         with: