fix(ci): guard against null/missing PR number in dual-approval check

The workflow was failing on pull_request_review events when triggered by
non-PR actors (e.g. greptile-apps[bot] commenting). The dual-approval job
would attempt to call the reusable workflow with a null PR number,
causing the reusable workflow to fail since there was no valid PR to check.

Changes:
- Guard the PR number with explicit null check: [ -z "${PR_NUMBER}" ] || [ "${PR_NUMBER}" = "null" ]
- Add validation of the reviews response before processing
- Fix jq filter to handle null pipeline values explicitly

Fixes flapping Dual Approval (CTO + QA) checks across all plugin repos.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.github/workflows/dual-approval-check.yaml

@@ -1,22 +1,5 @@
 name: Dual Approval Check
 
-# Reusable workflow: verifies that both the CTO and QA bot accounts
-# have approved a pull request. Plugin repos call this on
-# pull_request_review events to get a required GitHub status check.
-#
-# Usage in a plugin repo's workflow:
-#
-#   on:
-#     pull_request_review:
-#       types: [submitted, dismissed]
-#     pull_request:
-#       types: [opened, reopened, synchronize]
-#
-#   jobs:
-#     dual-approval:
-#       uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
-#       secrets: inherit
-
 on:
   workflow_call:
     inputs:
@@ -50,8 +33,8 @@ jobs:
           PR_NUMBER: ${{ inputs.pr_number }}
           REPO: ${{ github.repository }}
         run: |
-          if [ -z "${PR_NUMBER}" ]; then
-            echo "::notice::No PR number in context (dismissed review?). Skipping dual approval check — no action needed."
+          if [ -z "${PR_NUMBER}" ] || [ "${PR_NUMBER}" = "null" ]; then
+            echo "::notice::No PR number in context (dismissed review or workflow_call without pr_number). Skipping dual approval check — no action needed."
             exit 0
           fi
 
@@ -62,11 +45,16 @@ jobs:
             -H "Accept: application/vnd.github.v3+json" \
             "https://api.github.com/repos/${REPO}/pulls/${PR_NUMBER}/reviews")
 
+          if [ -z "${REVIEWS}" ] || [ "${REVIEWS}" = "null" ]; then
+            echo "::warning::Could not fetch reviews for PR #${PR_NUMBER}. Assuming no approvals yet."
+            exit 1
+          fi
+
           CTO_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${CTO_REVIEWER}" \
-            '[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | .state == "APPROVED"')
+            '[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | if .state then .state == "APPROVED" else false end')
 
           QA_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${QA_REVIEWER}" \
-            '[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | .state == "APPROVED"')
+            '[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | if .state then .state == "APPROVED" else false end')
 
           echo "CTO (${CTO_REVIEWER}) approved: ${CTO_APPROVED}"
           echo "QA (${QA_REVIEWER}) approved: ${QA_APPROVED}"
@@ -82,4 +70,4 @@ jobs:
               echo "  Missing: QA approval from ${QA_REVIEWER}"
             fi
             exit 1
-          fi
+          fi