[plan] Add fork context warning to `validate_secrets.cjs`

[github-actions]

Context

Closes part of #18481 — gh-aw in forks.

actions/setup/js/validate_secrets.cjs validates that required secrets are present. In a forked repository, all secrets from the parent repo are absent. Currently the script reports each missing secret with a generic "not found" error, giving no hint that the fork context is the root cause.

Objective

Update validate_secrets.cjs to detect when running inside a fork (context.payload.repository.fork === true) and prepend a fork-context warning to the output, making it clear that all secrets must be independently configured in the fork.

Approach

1. In actions/setup/js/validate_secrets.cjs, read context.payload.repository.fork (the @actions/github context is already available).
2. If fork === true, emit a core.warning(...) at the top of the output like:

   ⚠️ This repository is a fork. Secrets from the parent repository are not inherited. You must configure each secret listed below directly in your fork's repository settings.

3. Keep the existing per-secret validation logic unchanged — just prefix the report.
4. Run make fmt-cjs && make lint-cjs to validate.
5. Add/update tests in validate_secrets.test.cjs covering the fork branch.

Files to Modify

• actions/setup/js/validate_secrets.cjs — add fork detection + warning prefix
• actions/setup/js/validate_secrets.test.cjs — tests for fork path

Acceptance Criteria

• Fork context detected from context.payload.repository.fork
• core.warning(...) emitted at the top of output when in a fork
• Message clearly says secrets must be configured in the fork
• Existing non-fork behaviour is unchanged
• Tests pass (make lint-cjs)
  Related to Using gh-aw in forks of repositories #18481

Generated by Plan Command for issue #18481

• expires on Feb 28, 2026, 4:18 PM UTC