fix(ci): use ORG_READ_TOKEN for org membership check in vouch gate

[johntmyers]

Summary

• The GITHUB_TOKEN fundamentally cannot determine org membership — read:org is not a configurable scope for it. Both author_association (via REST API) and orgs.checkMembershipForUser return NONE/404 for org members when called with the repo-scoped token.
• Uses an ORG_READ_TOKEN secret when available, falling back to GITHUB_TOKEN
• Also added Kh4L to VOUCHED.td on the vouched branch as an interim workaround so fix(sandbox): rotate openshell.log daily, keep 3 files #431 can be reopened now

Related Issue

Follow-up to #442 and #444. Fixes the false positive closing of #430 / #431.

Changes

• .github/workflows/vouch-check.yml:
  • Pass ORG_READ_TOKEN (with GITHUB_TOKEN fallback) via github-token to actions/github-script
  • Restore orgs.checkMembershipForUser and repos.checkCollaborator checks — they work correctly with a token that has read:org
  • Add status codes to error logs for easier debugging

Setup Required

Create a fine-grained PAT (or classic PAT) with Organization > Members > Read (read:org) permission, then add it as a repo secret named ORG_READ_TOKEN.

Until that secret exists, the workflow falls back to GITHUB_TOKEN and org members will need to be in VOUCHED.td to bypass the gate.

Testing

• Confirmed via logs that GITHUB_TOKEN returns author_association=NONE for org member Kh4L (run 23254861242)
• Confirmed via local gh api (with read:org token) that the same endpoint returns MEMBER
• Kh4L added to VOUCHED.td for immediate unblocking

Checklist

• Follows Conventional Commits format
• No new dependencies introduced

[pimlock]

Kh4L added to VOUCHED.td for immediate unblocking

I don't see VOUCHED.td change committed, should it be part of this PR?