[STG-1518] Add Github Action that allows claiming external contributor PRs to run CI with secrets (browserbase#1794)

# why

- External contributor PRs currently fail CI because they cant run with
secrets
- We dont want to allow them to run with secrets until a team member
"claims" them and reviews for any secrets exfiltration / sketchy code
- Once claimed, we want to run the full CI suite with secrets

# what changed

# test plan

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Adds two GitHub Actions that let maintainers claim external contributor
PRs by mirroring the approved head SHA to a maintainer-owned branch so
full CI can run with secrets. Claims come from an approving review by a
team member with write access on the latest commit and are
auto-invalidated on new commits (Linear STG-1518).

- **New Features**
- Detects forked PRs and posts claim instructions; manages labels:
`external-contributor`, `external-contributor:awaiting-approval`,
`external-contributor:mirrored`, `external-contributor:stale`,
`external-contributor:completed`.
- On approving review of the latest commit, verifies reviewer
permission, mirrors that exact SHA to
`external-contributor-pr-<PR#>-<12sha>`, and creates/reopens a “[Claimed
#X]” PR assigned to the approver.
- Closes and links the original PR with marker comments; keeps
labels/status in sync on both PRs.
- Auto-closes the mirror when new commits land on the external PR and
comments with next steps; if the mirror closes without merge, reopens
and relabels the original PR; if the external PR is reopened with the
same approved SHA while the mirror is open, it is closed again to keep
discussion on the mirror.
- Implemented via `external-contributor-pr-approval-handoff.yml`
(captures approved reviews, uploads artifact) and
`external-contributor-pr.yml` (consumes artifact, performs mirroring);
uses `actions/github-script@v7`, `actions/create-github-app-token@v1`,
`actions/checkout@v4`, `actions/download-artifact@v4`,
`actions/upload-artifact@v4`; concurrency scoped per PR/workflow run.

- **Migration**
- Create a GitHub App with `contents:write`, `pull_requests:write`, and
`issues:write`; add `EXTERNAL_CONTRIBUTOR_PR_APP_ID` and
`EXTERNAL_CONTRIBUTOR_PR_APP_PRIVATE_KEY` secrets.
- To claim: submit an approving review on the latest commit of a forked
PR. If new commits are pushed, approve again to re-claim and rerun CI.

<sup>Written for commit 4875e99.
Summary will update on new commits. <a
href="https://cubic.dev/pr/browserbase/stagehand/pull/1794">Review in
cubic</a></sup>

<!-- End of auto-generated description by cubic. -->

Author: pirate

.github/workflows/external-contributor-pr-approval-handoff.yml

@@ -0,0 +1,43 @@
+name: External Contributor PR Approval Handoff
+
+on:
+  pull_request_review:
+    types:
+      - submitted
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  capture-approved-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Write approval handoff payload
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const fs = require('fs');
+            const pr = context.payload.pull_request;
+            const review = context.payload.review;
+            const shouldClaim =
+              review.state === 'approved' &&
+              pr.head.repo.full_name !== context.payload.repository.full_name;
+
+            const payload = {
+              shouldClaim,
+              prNumber: pr.number,
+              reviewer: review.user?.login || '',
+              reviewId: review.id,
+              approvedSha: review.commit_id || pr.head.sha,
+            };
+
+            fs.writeFileSync('approval-handoff.json', JSON.stringify(payload));
+
+      - name: Upload approval handoff artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: approved-review
+          path: approval-handoff.json
+          retention-days: 1