fix: migrate dual-approval-check.yaml from GitHub to Gitea API

Migrated by Gandalf, QA-reviewed and merged by Regression Regina (Pipeline B).

Changes:
- api.github.com → git.farh.net/api/v1
- Bearer ${GH_TOKEN} → token ${GITEA_TOKEN}
- Reviewer logins: privilegedescalation-qa → pe_regina, privilegedescalation-uat → pe_patty
- Accept header: vnd.github.v3+json → application/json
- jq filter: removed [bot] suffix (Gitea uses plain usernames)

.github/workflows/dual-approval-check.yaml

@@ -17,7 +17,7 @@ jobs:
     steps:
       - name: Check promotion approval
         env:
-          GH_TOKEN: ${{ github.token }}
+          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
           PR_NUMBER: ${{ inputs.pr_number }}
           REPO: ${{ github.repository }}
           BASE_REF: ${{ github.base_ref }}
@@ -31,9 +31,9 @@ jobs:
 
           if [ -z "${BASE_REF}" ] && [ -n "${PR_NUMBER}" ] && [ "${PR_NUMBER}" != "null" ]; then
             BASE_REF=$(curl -sf \
-              -H "Authorization: Bearer ${GH_TOKEN}" \
-              -H "Accept: application/vnd.github.v3+json" \
-              "https://api.github.com/repos/${REPO}/pulls/${PR_NUMBER}" | jq -r '.base.ref')
+              -H "Authorization: token ${GITEA_TOKEN}" \
+              -H "Accept: application/json" \
+              "https://git.farh.net/api/v1/repos/${REPO}/pulls/${PR_NUMBER}" | jq -r '.base.ref')
             echo "BASE_REF was empty; resolved from PR #${PR_NUMBER} API: ${BASE_REF}"
           fi
 
@@ -44,21 +44,21 @@ jobs:
               exit 0
               ;;
             uat)
-              REQUIRED_REVIEWER="privilegedescalation-qa"
+              REQUIRED_REVIEWER="pe_regina"
               GATE_NAME="QA"
               ;;
             main)
-              REQUIRED_REVIEWER="privilegedescalation-qa"
+              REQUIRED_REVIEWER="pe_regina"
               GATE_NAME="QA"
               # For plugin repos (Pipeline A), UAT approval is needed for uat→main
               # Check if the source branch is uat
               SOURCE_REF=$(curl -sf \
-                -H "Authorization: Bearer ${GH_TOKEN}" \
-                -H "Accept: application/vnd.github.v3+json" \
-                "https://api.github.com/repos/${REPO}/pulls/${PR_NUMBER}" | jq -r '.head.ref')
+                -H "Authorization: token ${GITEA_TOKEN}" \
+                -H "Accept: application/json" \
+                "https://git.farh.net/api/v1/repos/${REPO}/pulls/${PR_NUMBER}" | jq -r '.head.ref')
 
               if [ "${SOURCE_REF}" = "uat" ]; then
-                REQUIRED_REVIEWER="privilegedescalation-uat"
+                REQUIRED_REVIEWER="pe_patty"
                 GATE_NAME="UAT"
               fi
               ;;
@@ -71,9 +71,9 @@ jobs:
           echo "Required reviewer: ${REQUIRED_REVIEWER} (${GATE_NAME})"
 
           REVIEWS=$(curl -sf \
-            -H "Authorization: Bearer ${GH_TOKEN}" \
-            -H "Accept: application/vnd.github.v3+json" \
-            "https://api.github.com/repos/${REPO}/pulls/${PR_NUMBER}/reviews")
+            -H "Authorization: token ${GITEA_TOKEN}" \
+            -H "Accept: application/json" \
+            "https://git.farh.net/api/v1/repos/${REPO}/pulls/${PR_NUMBER}/reviews")
 
           if [ -z "${REVIEWS}" ] || [ "${REVIEWS}" = "null" ]; then
             echo "::warning::Could not fetch reviews for PR #${PR_NUMBER}."
@@ -81,7 +81,7 @@ jobs:
           fi
 
           REVIEWER_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${REQUIRED_REVIEWER}" \
-            '[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | if .state then .state == "APPROVED" else false end')
+            '[.[] | select(.user.login == $user)] | last | if .state then .state == "APPROVED" else false end')
 
           echo "${GATE_NAME} (${REQUIRED_REVIEWER}) approved: ${REVIEWER_APPROVED}"