ci: add automated skill review for SKILL.md pull requests

[popey]

Hullo! Thanks for merging the skill improvements earlier. This is a follow-up that adds a lightweight GitHub Action to automatically review any SKILL.md files when they're changed in a PR, using tessl skill review.

• Triggers only on PRs that touch **/SKILL.md
• Posts review results as a PR comment
• Minimal permissions: pull-requests: write and contents: read

This way you and your contributors get an instant quality signal on skill changes before manual review — no signup or tokens needed.

[Copilot]

Pull request overview

Adds a GitHub Actions workflow to automatically run tesslio/skill-review on pull requests that modify any **/SKILL.md, and publish the results back to the PR.

Changes:

• Introduces .github/workflows/skill-review.yml workflow triggered on PRs touching **/SKILL.md
• Checks out the repo and runs tesslio/skill-review with PR comment permissions

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

tesslio/skill-review@main uses a moving branch ref, which reduces reproducibility and increases supply-chain risk (a force-push or compromised upstream could change behavior without review). Pin to a stable release tag or (preferably) a commit SHA and update it intentionally when you want new behavior.

Suggested change

	- uses: tesslio/skill-review@main
	- uses: tesslio/skill-review@3f2c9b1d4a6e8b7c2d1e9f0a5b4c3d2e1f0a9b8

[Copilot]

With the pull_request event, GITHUB_TOKEN is read-only for PRs from forks, so the job typically cannot create PR comments even though pull-requests: write is requested. If the intent is to comment on external-contributor PRs, consider switching to pull_request_target (and avoid checking out/running untrusted PR code), or have the action post results as a check/run instead of a PR comment.