[RHDHBUGS-2983]: Redesign PR workflow: one build, one comment, correct deployment (#2069)

* [RHDHBUGS-2983]: Separate CQA from PR build workflow to fix content overwrite bug

The PR workflow's `rsync -az trusted-scripts/* pr-content/` was overwriting
PR content with base branch files, causing build-orchestrator to run CQA
against the wrong content. Replace with targeted cp commands and separate
concerns: CQA only in the CQA workflow, build+lychee only in the PR workflow.

Changes:
- build-orchestrator: add --no-cqa flag, exclude CQA from exit code
- pr.yml: targeted script copy, --no-cqa flag, remove CQA from PR comment
- content-quality-assessment.yml: add Podman+lychee for CQA-14 support

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* [RHDHBUGS-2983]: Guard script copies for older branches without CQA/orchestrator

Older branches (1.8, 1.9) may not have build-orchestrator.js,
error-patterns.json, or the cqa/ directory. Check existence before
copying to avoid breaking backport PRs.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* [RHDHBUGS-2983]: Source trusted build scripts from main, not base branch

Both workflows should use the same script source for consistency.
The existence guards handle older branches that lack newer scripts.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* [RHDHBUGS-2983]: PR workflow sources build scripts from base branch, drops CQA copy

Build scripts must be compatible with the branch content they build,
so source them from the base branch. CQA scripts are not needed here
since --no-cqa skips CQA entirely. CQA is maintained once on main
and runs only in the CQA workflow.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* [RHDHBUGS-2983]: Show base branch name in workflow step label

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* [RHDHBUGS-2983]: Consolidate CQA into PR workflow, address review feedback

- Remove standalone content-quality-assessment.yml (single build, no duplication)
- PR workflow now runs CQA inline: Vale install, trusted CQA script copy, CQA checklist comment
- Use base branch ref for trusted scripts (branch self-containment per review)
- Call node directly instead of shell wrapper (per review)
- CQA failures break builds again (per review)
- Fallback to old build-ccutil.sh on branches without orchestrator (release-1.8/1.9)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: deploy HTML even when CQA/lychee fails

HTML is built before CQA and lychee run. When only those
checks fail, the preview should still be deployed and fresh.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: consolidated PR comment with build results and CQA checklist

Merges the two separate bot comments (preview/build and CQA
checklist) into one single actionable comment. Always shows
preview link; marks stale when title build failed.

* [RHDHBUGS-2983]: Consolidated PR comment with build results and CQA checklist

- Merges two bot comments into one actionable checklist
- Always shows preview link; marks stale on title build failure
- Deploys HTML even when only CQA/lychee fails
- Cleans up old standalone CQA comments on in-flight PRs

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* [RHDHBUGS-2983]: Add comment explaining CQA_BASE_REF usage

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* [RHDHBUGS-2983]: Add comments explaining build step logic

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* [RHDHBUGS-2983]: Add comments explaining check_html step logic

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* [RHDHBUGS-2983]: Add comments explaining pull and deploy steps

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* [RHDHBUGS-2983]: Add comment explaining consolidated PR comment intent

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* [RHDHBUGS-2983]: Address PR review feedback

Remove unused --no-cqa flag from build-orchestrator.js.
Update CQA call-to-action in PR comment to include --fix flag.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

Author: themr0c

.claude/CLAUDE.md

@@ -32,11 +32,10 @@ When creating PRs, follow `.github/pull_request_template.md`:
 
 | Workflow | Trigger | Purpose |
 |---|---|---|
-| `content-quality-assessment.yml` | PR (`.adoc`, `build/scripts/`) | Runs `node build/scripts/cqa/index.js --all` on entire repo. Posts checklist as PR comment. Scripts sourced from `main` branch (not base) for backport compatibility. |
 | `build-asciidoc.yml` | Push to main/release | Builds AsciiDoc docs and deploys to GitHub Pages. Cleans up merged PR preview branches. |
-| `pr.yml` | PR | Builds HTML preview, deploys to `gh-pages`, posts preview URL as PR comment. |
+| `pr.yml` | PR | Builds HTML preview, runs CQA checks, deploys to `gh-pages`, posts preview URL and CQA checklist as PR comments. Build scripts sourced from base branch. |
 | `style-guide.yml` | PR | Runs Vale linter on `assemblies/` for style guide compliance. |
 | `shellcheck.yml` | PR (`*.sh`) | Runs shellcheck on changed shell scripts via reviewdog. |
 | `generate-supported-plugins-pr.yml` | Manual dispatch | Updates Dynamic Plugins tables and creates a PR. |
 
-**Security:** `content-quality-assessment`, `pr`, and `shellcheck` use `pull_request_target` with an authorization gate — fork PRs from non-team members require manual approval via the `external` environment.
+**Security:** `pr` and `shellcheck` use `pull_request_target` with an authorization gate — fork PRs from non-team members require manual approval via the `external` environment.