Add direct-push alerting and sensitive-change gate

[jeremy]

Summary

• direct-push-alert: Detects commits pushed directly to the default branch (bypassing PR flow) and creates/appends to a tracking issue.
• sensitive-change-gate: Detects PR changes to control-plane paths (workflows, CODEOWNERS, .goreleaser.yaml, release scripts). Runs in shadow mode — posts an informational comment but does not block.

Both are thin callers to reusable workflows in basecamp/.github, pinned to SHA a667bfaa.

Test plan

• Open a PR touching .github/workflows/ — verify shadow comment appears

[Copilot]

Pull request overview

This PR adds two new GitHub Actions workflows that serve as thin callers to reusable workflows hosted in basecamp/.github, both pinned to a specific SHA (a667bfaa):

Changes:

• Adds direct-push-alert.yml to detect commits pushed directly to main (bypassing PR flow) and create/append to a tracking issue.
• Adds sensitive-change-gate.yml to detect PR changes to control-plane paths (workflows, CODEOWNERS, etc.), running in shadow mode with an informational comment. Includes scripts/sync-skills.sh as an extra sensitive pattern.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
.github/workflows/direct-push-alert.yml	New workflow triggered on push to main, calling the reusable direct-push-alert workflow with contents: read and issues: write permissions
.github/workflows/sensitive-change-gate.yml	New workflow triggered on pull_request_target, calling the reusable sensitive-change-gate workflow with an extra pattern for scripts/sync-skills.sh

Both workflows follow the established repository conventions for reusable workflow calls (SHA pinning, job-level permissions, pull_request_target for PR-scoped workflows), consistent with the existing ai-labeler.yml pattern.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.