* ci(qwen-resolve): support fork PRs and slim /resolve to conflict-only
Closes the fork gap #5779/#5862 left for the maintainer /resolve command, so it
can clear merge conflicts on community (fork) PRs, and narrows the command to
exactly one job: resolve the conflict and push it back.
- Fork PRs: fetch the head via refs/pull/N/head and push the resolved branch
back to the PR's head repository (via Allow edits by maintainers) instead of
bailing as unsupported. Validated end-to-end against a fork PR.
- Conflict-only: drop the build/typecheck/lint/test gate and npm install/refresh;
keep the structural checks (markers, index, merge-tree, default-merge, scope).
Test fallout is left to the PR's own CI and follow-up tasks.
- Push-failure classification: workflow_scope (the merge carries the base's
.github/workflows/** changes, which a token without the workflow scope cannot
push), permission (403 / 404), and moved (stale force-with-lease) each get an
actionable comment; the redacted git stderr is logged for diagnosis.
NOTE: the push bot's PAT (CI_DEV_BOT_PAT) needs the `workflow` scope, since
resolving merges the base in and that update touches workflow files.
Guard tests updated; 12/12 pass.
* ci(qwen-resolve): avoid PR head ref collisions
* ci(qwen-resolve): address review comments
- workflow_scope: anchor classification on GitHub's server phrase
'refusing to allow ... workflow' instead of a loose workflow.*scope, which
the attacker-controlled branch name in git's rejected-ref echo could trip.
- prepare: bail when the head repository was deleted (null headRepository →
malformed push URL).
- moved: include the run-artifact link, consistent with the other cases.
- permission: drop 'could not read' (matched transient network errors).