GCSS-1132: detect manually-created (unmanaged) repositories

[dev-milos]

What

Adds a scheduled detection mechanism that surfaces repositories which exist in the organisation but are not yet managed by GCSS. They are presented in a single, continuously-updated PR assigned to reviewers - merge to bring the repo under management, or add it to ignored_repos to acknowledge it.

Closes #1132. Builds on the compare fix in #51.

Why

The Terraform-plan drift check only sees resources already in Terraform state, so a repository created by hand is invisible to it and never flagged. This detects those repos by importing the org and diffing against the managed config.

How it works

(hourly schedule, in the config repo)
  → import all org repos  → compare (new-only)  → drift-pr
                                                    ├─ new repos found → open/update one PR (reviewers assigned)
                                                    └─ none found      → close the PR (drift resolved)

Merging the drift PR feeds the existing import-on-merge machinery (promote-imported-configs), which Terraform-imports the repo into state (it is not re-created).

Changes

.github/actions/compare/action.yaml

• New keep input. changed (default) preserves existing import/bulk-import behaviour; new-only also drops modified repos, leaving only repos that have no config yet.

.github/actions/drift-pr/action.yaml (new)

• Manages a single stable drift PR idempotently: opens if none exists, updates in place, skips the push entirely when nothing changed (no re-notification noise), and closes the PR + deletes the branch when no unmanaged repos remain. Requests reviewers (non-fatal).

.github/workflows/detect-unmanaged-repos.yaml (new, reusable)

• Wires it together: token → config setup → import all org repos → compare new-only → drift-pr.

Consumer setup (config repo)

Add a scheduled caller, e.g.:

on:
  schedule:
    - cron: '0 * * * *'   # hourly
jobs:
  detect:
    uses: G-Research/github-terraformer/.github/workflows/detect-unmanaged-repos.yaml@<tag>
    with:
      gcss_ref: <tag>
      reviewers: <org/team-or-users>
    secrets:
      app_private_key: ${{ secrets.APP_PRIVATE_KEY }}

Requirement: the managing GitHub App must have org-wide ("All repositories") access - otherwise manually-created repos are invisible to the importer and won't be detected.

Testing

Validated end-to-end in a test org (milos-org) against real CI:

Scenario	Result
Manually-created repo present	PR opened with only that repo, reviewer requested
Re-run, no change	no-op, no PR noise
Second repo appears	existing PR updated in place (no duplicates)
Repos added to ignored_repos	PR auto-closed, branch deleted
Drift PR merged	Terraform imported the repo (Apply complete: 2 imported, 0 added, 0 changed), config promoted to repos/
Re-detect after adoption	repo no longer flagged

Known considerations

• Scope is intentionally new/unmanaged repos only; hand-edits to already-managed repos remain the responsibility of the existing Terraform drift check (avoids double-flagging).