feat: support Cubic feedback workflow for external forked PRs

[keithwillcode]

What does this PR do?

Updates the "Cubic feedback addressed by Devin" workflow to run for external forked PRs by using the workflow_run pattern.

The pull_request_review event doesn't have access to secrets when triggered from forks (GitHub security feature). This PR splits the workflow into two parts:

1. cubic-devin-review-trigger.yml - Lightweight workflow that triggers on pull_request_review and saves the review context (PR number, review body) as an artifact
2. cubic-devin-review.yml - Main workflow that triggers on workflow_run of the first workflow, downloads the artifact, and processes it with full permissions/secrets access

This follows the same pattern used by on-changes-requested.yml and re-draft.yml in this repo.

Mandatory Tasks (DO NOT REMOVE)

• I have self-reviewed the code (A decent size PR without self-review might be rejected).
• I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. N/A - workflow-only change
• I confirm automated tests are in place that prove my fix is effective or that my feature works. N/A - GitHub workflow changes cannot be unit tested

How should this be tested?

This workflow change can only be fully tested in production:

1. Have an external contributor create a PR from a fork
2. Have Cubic AI submit a review on that PR
3. Verify the "Cubic AI Review Trigger" workflow runs and uploads the artifact
4. Verify the "Cubic feedback addressed by Devin" workflow triggers and creates a Devin session

Checklist

• My code follows the style guidelines of this project
• I have checked if my changes generate no new warnings

---

Human Review Checklist

• Verify the artifact JSON structure in the trigger workflow matches what's being read in the main workflow
• Confirm the workflow name "Cubic AI Review Trigger" matches exactly between the two files
• Check that actions: read permission is sufficient for downloading artifacts

Link to Devin run: https://app.devin.ai/sessions/dcf40a7b8f6444db8542540e4b93b9b8
Requested by: @keithwillcode

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[github-actions]

This PR has been marked as stale due to inactivity. If you're still working on it or need any help, please let us know or update the PR to keep it active.

[keithwillcode]

DevinAI do we need to add something specific to the name here to avoid collisions across multiple reviews happening across various PRs?

[devin-ai-integration]

You're correct - it will be fine as-is. The artifact is scoped to the specific workflow run ID. When the main workflow downloads the artifact, it uses context.payload.workflow_run.id to fetch artifacts from only that specific trigger run:

const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
  run_id: context.payload.workflow_run.id,  // Specific to this trigger run
});

Even if multiple Cubic reviews happen simultaneously on different PRs, each trigger workflow has its own unique run ID, so there's no collision risk. This is the same pattern used by on-changes-requested.yml which also uses a static artifact name (context.json) without any PR-specific suffix.

[cubic-dev-ai]

No issues found across 2 files

[keithwillcode]

@pumfleet Force merging because the atoms build failing is unrelated and being urgently looked into by engineering to unblock CI.

[github-actions]

E2E results are ready!

• Workflow #102483.1 latest results