Redesign REST API contract PR summaries for fork PRs

[enyst]

Problem

PR #3789 adds generated REST API contract summaries to same-repository PR descriptions, but fork PRs are intentionally skipped because pull_request workflows do not receive writable tokens or repository secrets. Most fork PRs may allow maintainer edits, but that does not make github.token writable from the untrusted pull_request run.

Proposed redesign

Use a two-stage workflow so fork PRs can get the same generated ## Summary block without running untrusted code with privileged credentials.

1. Unprivileged generation stage (pull_request)

   • Checkout and execute the PR code with the normal read-only token.
   • Generate the public /api/** OpenAPI contract diff against the PR base SHA.
   • Upload only the generated markdown summary plus minimal metadata as an artifact.

2. Privileged update stage (workflow_run or carefully scoped pull_request_target)

   • Do not checkout or execute fork PR code.
   • Download/read the generated artifact as data.
   • Validate the artifact is for the expected PR/head SHA and size-limit it.
   • Use OPENHANDS_BOT_GITHUB_PAT_PUBLIC (or another approved repo-scoped token) to insert/replace/remove the marked REST API contract block in the PR description.

Safety requirements

• Never run fork-controlled code in the privileged stage.
• Treat the artifact as untrusted text: size-limit, marker-scope, and only patch the generated block inside ## Summary.
• Keep the HUMAN section untouched.
• Preserve same-repo behavior, but move token selection into the privileged stage so fork PRs with maintainer-edit expectations can also be updated.

This issue was created by an AI agent (OpenHands) on behalf of the user.