ci-health-check: detect action_required (GitHub App PR approval blocked) (#85)

Detects when workflow runs conclude with action_required, which indicates
GitHub's 'Require approval for first-time contributors' setting is blocking
workflow runs from the privilegedescalation-engineer[bot] GitHub App.

This is a CI pipeline blocker that prevents bot-authored PRs from advancing
through the review pipeline. See PRI-44 for the full investigation.

Co-authored-by: Hugh Hackman <hugh@privilegedescalation.ai>

.github/scripts/ci-health-check.sh

@@ -59,6 +59,15 @@ for repo in "${PLUGIN_REPOS[@]}"; do
     ((warnings++)) || true
   fi
 
+  # Check for action_required — GitHub's "Require approval for first-time contributors" setting
+  # blocks workflow runs from GitHub App bot accounts. This is a CI pipeline blocker (see PRI-44).
+  action_required_count=$(echo "$runs" | jq '[.[] | select(.conclusion=="action_required")] | length')
+  if [ "$action_required_count" -gt 0 ]; then
+    echo "  FAIL: ${action_required_count} workflow run(s) with action_required (GitHub App PR approval blocked):"
+    echo "$runs" | jq -r '.[] | select(.conclusion=="action_required") | "    - \(.name) on \(.headBranch) (\(.updatedAt))"'
+    ((failures++)) || true
+  fi
+
   # Check latest release
   latest_release=$(gh api "repos/${ORG}/${repo}/releases" --jq '.[0].tag_name // "none"' 2>/dev/null || echo "error")
   echo "  Latest release: ${latest_release}"