ci: query collaborator API to skip maintainers in welcome workflow

[brendancol]

Summary

• Stop relying on github.event.pull_request.author_association to skip maintainers in welcome-contributor.yml. On PR geotiff: fix CI regression where int-coord no-georef writes hit fail-closed guard #1968 the field came through as something other than MEMBER for a maintainer's cross-fork PR (admin permission on the repo), so the welcome workflow greeted them as a first-time contributor.
• Same-repo PRs are still skipped via the head.repo == base.repo check (same approach copilot-review.yml uses around the same quirk).
• Cross-fork PRs now go through a runtime collaborator-permission lookup via gh api repos/$REPO/collaborators/$USER/permission. Anyone with admin, maintain, or write is treated as a maintainer and skipped before the comment posts.

The default GITHUB_TOKEN has read access to the collaborator-permission endpoint on the repo where the workflow runs, so the call works without extra secrets. Added contents: read to the permissions block to make that explicit.

Test plan

• Open a maintainer PR from a personal fork after this lands; confirm the welcome workflow logs Author is a maintainer; skipping welcome comment. and posts nothing.
• Open an outside-contributor PR from a fork; confirm the welcome comment still posts when no prior intro issue exists.
• Open a same-repo PR; confirm the job is skipped at the if: gate (no run logs, conclusion skipped).

[github-actions]

Hi @brendancol, thanks for the PR!

Would you mind filing a quick New contributor introduction issue when you get a chance? It helps us point you at issues that fit what you'd like to work on. Most fields are optional.

Reviewing your PR doesn't depend on it, just a friendly nudge.