update PR review workflow with fork-supporting trigger

[derekmisler]

Summary

Refactor PR review workflow to use a fork-supporting trigger pattern. This decouples the review job from direct event triggers and uses artifact passing to support fork PRs, which cannot access secrets in the main workflow.

Closes: https://github.com/docker/gordon/issues/468

Changes

• New workflow: pr-review-trigger.yml captures PR and review comment events, saves context (event name, PR number, SHA, comment JSON) as artifacts
• Updated workflow: pr-review.yml now uses workflow_run trigger to run after the trigger workflow completes, downloads artifacts to access saved context
• Permissions: Added actions: read to allow artifact downloads; simplified permission comments
• Version bump: Updated cagent-action from v1.4.1 to v1.4.3
• New input: Added trigger-run-id parameter to pass workflow run ID from trigger workflow

Test plan

• Verify PR review triggers on /review command in PR comments
• Verify auto-review triggers on PR open/ready_for_review (same-repo branches)
• Verify fork PRs can trigger review via /review command (previously blocked by secret access)
• Confirm review comments on review feedback still trigger review