feat(#120): add GitHub Actions support with VCS host detection and security hardening

- Detect VCS host type from github.api_url (present on GitHub/GHES, absent on Gitea)
- Add action-repo input: specifies repo hosting review-bot releases, separate from
  the reviewed repo. Defaults to github.action_repository, then rodin/review-bot.
- Add action-repo-token input: auth for release downloads (defaults to github.token
  on GitHub, reviewer-token on Gitea).
- GitHub/GHES path: use github.api_url for version resolution and REST API asset
  download endpoint (required for private repos; web URLs redirect to S3 and don't
  support Authorization headers reliably).
- Gitea path: use validated SERVER_URL with direct download (no -L; prevents
  Authorization forwarding on potential CDN redirects).
- Security hardening:
  - inputs.vcs-url is IGNORED on GitHub/GHES to prevent token exfiltration
  - SERVER_URL validated for https scheme and no whitespace on Gitea path
  - action-repo validated against owner/repo pattern (prevent path traversal)
  - VERSION validated for no slashes/whitespace
  - TOKEN validated for no control characters (header injection defense)
  - ACTION_TOKEN passed via ::add-mask:: + GITHUB_ENV (not step output, which
    can leak in debug logs)
  - set -euo pipefail in both script steps
- Multi-arch support: OS/arch detection via uname (linux/darwin, amd64/arm64)
  for cache key and binary name — incorporates changes from #124
- Run review step: passes VCS_URL from step output (server_url) instead of
  direct input expression

Closes #120

.gitea/actions/review/action.yml

@@ -323,27 +323,13 @@ runs:
           fi
 
           # Extract asset IDs for binary and checksums
-          BINARY_ASSET_ID=$(printf '%s' "$RELEASE_JSON" | python3 -c "
-import sys, json
-assets = json.load(sys.stdin).get('assets', [])
-for a in assets:
-    if a['name'] == '${BINARY}':
-        print(a['id'])
-        break
-")
+          BINARY_ASSET_ID=$(printf '%s' "$RELEASE_JSON" | python3 -c "import sys, json; assets = json.load(sys.stdin).get('assets', []); matches = [a['id'] for a in assets if a['name'] == '${BINARY}']; print(matches[0] if matches else '')")
           if [ -z "$BINARY_ASSET_ID" ]; then
             echo "Error: could not find asset '${BINARY}' in release ${VERSION}" >&2
             exit 1
           fi
 
-          CHECKSUMS_ASSET_ID=$(printf '%s' "$RELEASE_JSON" | python3 -c "
-import sys, json
-assets = json.load(sys.stdin).get('assets', [])
-for a in assets:
-    if a['name'] == 'checksums.txt':
-        print(a['id'])
-        break
-")
+          CHECKSUMS_ASSET_ID=$(printf '%s' "$RELEASE_JSON" | python3 -c "import sys, json; assets = json.load(sys.stdin).get('assets', []); matches = [a['id'] for a in assets if a['name'] == 'checksums.txt']; print(matches[0] if matches else '')")
           if [ -z "$CHECKSUMS_ASSET_ID" ]; then
             echo "Error: could not find asset 'checksums.txt' in release ${VERSION}" >&2
             exit 1