github-actions: restore patchscan in PR validation

[nirmoy]

Summary:

• Restore patchscan execution, reporting, and failure gating in the PR Validation workflow.
• Keep PR title/body out of shell source by reading metadata through gh api + jq and writing it as data files.
• Remove GitHub expression interpolation from executable run/script blocks; pass step/context values through env and validate repo, PR number, SHA, and base-ref metadata before use.
• Update checkout, setup-python, and github-script to current Node 24 action majors.

Validation:

• Real fork PR: TEST: patchscan workflow smoke nirmoy/NV-Kernels#19
• Real pull_request_target PR Validation run: https://github.com/nirmoy/NV-Kernels/actions/runs/26166594972
• Hardened workflow_dispatch run on this commit: https://github.com/nirmoy/NV-Kernels/actions/runs/26171571346
• Before/after review: before.sh reproduced the direct PR title/body shell interpolation issue; after.sh has no Actions expressions in executable run/script blocks and no direct PR title/body refs.
• Result: Patchscan + PR lint passed, including Patchscan No Missing Fixes and PR Lint All checks passed.

Local checks:

• git diff --check upstream/github-actions..HEAD -- .github/workflows/patchscan.yml
• YAML parse of .github/workflows/patchscan.yml
• bash -n for all extracted run blocks
• node --check for the github-script block
• scanner verified no GitHub Actions expressions inside run or script blocks
• rg found no github.event.pull_request.title/body or pull_request.title/body matches
• actionlint is not installed locally

[nirmoy]

Boro review

Latest watcher review: open review

Head: cd6a2dcec88a

This comment is maintained by nv-pr-bot. It is updated when the GitHub watcher publishes a newer review.